Any submission without an exploit? It's routine to find crash bugs or potentially XSS data or injection opportunities without going all the way to a compromised system.
The issue here is that the submit actually attacked live systems, instead of just reporting on the possibility of malicious library code.
...which is something everyone already knows about, and thus why he couldn't get paid. You don't get paid for actually hacking systems either!
The issue here is that the submit actually attacked live systems, instead of just reporting on the possibility of malicious library code.
...which is something everyone already knows about, and thus why he couldn't get paid. You don't get paid for actually hacking systems either!