I would like to bring to discussion this topic because it covers some good points:
- how much time a company fix vulnerabilities
- do you think some companies trick researchers telling that its a “duplicate”
- does duplicate applies on the 90 days policy?
- should companies still reward/acknowledge duplicates?
Let me hear back from y’all