There are rules for bug bounty programs: - https://hackerone.com/keybase

Which one of those "outside the scope" categories would you say this one falls into then?

To me it reads like there's nothing preventing this bug report from deserving a bounty.

None of these bullets are “open and shut cases”, but all are related without needing a major leap, especially the first one.

* Content spoofing / text injection

* Issues related to software or protocols not under Keybase control

* Reports of spam

* Vulnerabilities affecting users of outdated or unpatched browsers and platforms

Do I agree with their (alleged) actions? NO! But as I know several folks at Keybase personally, I’m sure there’s another side to this story and I’m willing to give them some benefit to the doubt until I hear otherwise.

If this vulnerability can fit those 4 categories, what kind of vulnerability would you be confident would qualify for the bounty?

That’s the problem, I feel their exclusions from bounty are too wide. This vulnerability if confirmed should be eligible for some bounty imho. That said, they published the exclusions publicly, so getting butt hurt over not getting paid when they said you wouldn’t feels a bit petty to me.

Why do you say he's butt hurt? He doesn't even mention not getting paid. The post is about Keybase not taking a security vulnerability seriously. Is it petty to warn people about an insecure product?

> Why do you say he's butt hurt?

I didn’t. It was a generalized statement about the bounty terms, not directed at any one person.

Keybase is clearly stating that it is infact not a bug, but an intentionally not implemented feature.

You think the guy who wrote the article should swallow that line of BS and be motivated to do more free pentesting for them?