|
|
|
|
|
|
by mevile
3681 days ago
|
|
|
I'm not addressing the FBI response, but hear me out. As a security researcher you have to stop at the first vulnerability. Don't use the vulnerability to get more information. It's the companies responsibility to ascertain the impact of the problem. This person should not have attempted to download anything from the FTP server. It should have spotted the FTP server, notified the company and made it clear they never attempted to download anything from it. There was a similar issue with S3 credentials and Facebook a few months ago. The security researcher went too far. There was a large outcry by everyone about Facebooks response. I'm not addressing the response. I'm saying as a security researcher you need to protect yourself by trying very hard to limit the impact of what you're doing to remove risk of legal liability. Only go as far as the first problem and no further. |
|
|