@nopatience That's a good point to start with, and it works well for pentesting (as in I hire someone to hack me) and bug bounty programmes (as a blanket permission to hack certain systems).
But where do you put whistleblowers who are either reporting something they stumbled upon, or who are actively looking for vulnerabilities outside of any testing permission?
Does it make a difference if third parties, such as customers, were affected by the vulnerability?
Add comment