Following the recent unpleasantries with our approximately near equal peer, FireEye (FEYE +0.11), Threatbutt would like to make it's position murky clear on it's security posture and how it cooperates with security researchers.

Threatbutt inc takes all reports of security issues comically and we do our best to share them around numerous IRC backchannels for all of us to have a giggle at. We believe in the follow hilarious irresponsible disclosure policy, assuming you can't sell your bug to the highest bidder in Italy unless they use PGP.

Contacting Threatbutt "Security"

To optimistically attempt to report a vulnerability in any of our suite of Viking grade advanced threaty threat products, please consult the following chart:

DoS or "Denial" "Of" "Service"

• If you think you can probably get code exec out of it, then please try to, as that will be a cooler bug.
• If it's really annoying, like heap based or a single byte, then fine, please "report" it as a DoS, but if someone later that week works out how to get code execution from it, boy are you going to feel like a sausage.
• If it actually a DoS through resource starvation, please simply do not bother. No one cares.

Remote Code Execution or "Mad 'sploit"

• We accept and only accept submissions for this class of bug via the fine bug bounty programme provider of PasteBin. We spoke to both the excellent HackerOne and BugCrowd. After many meetings we just didn't feel their platforms had quite the 0-day feel that we needed from an irresponsible disclosure policy. We hope it's something they can move toward in the future.
• If you're unable or unwilling to use PasteBin, then dropping unannounced at a conference is also acceptable.
• Any bug named or with a logo will become the target of ire and ridicule.
• As will any bug without a greets section.
• All code must conform to the "[+]" format of output.

XSS, XSRF, other web based bugs.

• No. This is not bugtraq, nor is this 2001.

Any submissions ran through the gauntlet of GPG/SMIME/CryptoCat will be deleted on sight.

CVE allocation

That's a drugstore right? Oh Mitre, they're still doing that? Bless them. Well if you insist about doing that. I'm pretty confident Nessus would love to use your CVE data to one day end up in an unread PDF for someone.

Disclosure timeline and dollah

All Serious Sensitive Security Issues (hereafter know as "mad vulns") should be submitted as the Serious Security Researcher's leisure, we will, within 90 days at most, do absolutely nothing about them. We believe this to be the most productive course of action to continue to protect the customers and partners using our products and services to secure their companies. You are more than welcome to request a status update at any time, by shouting at the sky or in to a well.

If, by some complete failure on our part, we happen to read your mad vuln report and it is a valid security bug in our Advanced Threat Defense Platform Dot Com, we will probably laugh for a brief period, then send you an enterprise license if you foolishly/bravely included your address.

If your mad vuln pops calc.exe on a Unix/Linux platform, either through pulling down VMware/Virtualbox or Wine, or RDPing to a public Windows machine and running calc.exe, then you will receive a coveted "ThreatButton".

If you mention "Hall of fame" in your submission, we will find you and push you over in the street.

At some point, we will bribe someone from @CluelessSec to link to your report, unless it does something cool.

Customer security

If you are an enterprise customer affected by one of these mad vulns, then Theatbutt Inc will offer you full credit monitoring for up to a year. To qualify for this, you should email us a scan of both sides of your credit card and the username, password and any other authentication data required for your online banking.

Our customers never fucking calling us is our number one priority. We take customer security very very seriously, like totes seriously. Y'huh. That.

Legal notice

If you have lawyers and/or money, all of this goes out the window. We don't even know what you're talking about! Threatbutt? Yeah they moved out a couple of weeks before we got here, never met them.