[nowprovision]

Bye bye digitalocean - account deletion request submitted 1178917. When you have reckless people like Cashan Stine (trust & safety specialist - WTF is that title? sounds like a road safety officer?) that close accounts due to a security report then it won't win any business from me or my clients.

[eropple]

That's not why his account was closed. His account was closed not for discovering a vulnerability, but for exploiting it.

While his intentions might have been good (and I expect that they were!), that kind of behavior isn't.

[dx034]

He did not exploit it, he just provided proof. He did not make any money from the traffic and visitors just saw a white page.

[eropple]

That is exploiting the bug. That is literally exploiting the bug. In the same paragraph where you say he did not exploit the bug, you describe the peripherals of his exploit of the bug.

If he was operating responsibly, he would have applied it to a domain he controlled and provided that as a proof of concept. Instead, he ganked twenty thousand domains. That is at best irresponsible and at worst malicious and DigitalOcean (who I am no fan of, for what it's worth) has no obligation to figure out, or even care, which is which before showing him the door.

[hatsix]

Doing it once, proof. Doing it 20,000 times... Exploit.

[corobo]

If you'd just straight up cancel an account that fast I don't believe you had any service or clients hosted on DigitalOcean. Idle threats belong on Facebook and Twitter, not Hacker News.

[Gracana]

You don't need to make a deletion request, you can deactivate your account from your account settings, and it offers to delete everything for you. That's what I did when I wanted to close my account recently (I wasn't using the droplets I had, and liked my other VPS better anyway.)

[77pt77]

>and liked my other VPS better anyway

Which ones?

[Gracana]

Ramnode. Their prices are good and their support is phenomenal. I've always gotten replies to my tickets within minutes, often from Nick Adams himself (Ramnode's CEO.)

A few examples:

- Whenever a new release of OpenBSD comes out, I send a request for them to add the new install media, and they make it available ASAP.

- I switched from OpenVZ to KVM after a couple months and having paid for a year of the OpenVZ service, and they put my remaining credit toward the new service.

- I completely hosed my machine one time and had them restore from backup. Took a while because they wanted to be double-extra-sure of what I wanted, but it was overall a quick and painless process.

I don't know how things will change as they grow, but right now they just seem like a good company, run by people who care about the quality of their product and the satisfaction of their customers.

[dumbsecreport]

I've reported multiple vulnerabilities to DigitalOcean before and they've fixed them rapidly, credited me for the effort, and gave me free time on their services.

The difference is I didn't exploit 20 thousand domains to make flashy headlines and prove a point about something that isn't even a serious bug.

[cjslep]

You're coming across as a shill either to make DO seem like an infalliable company or to blatantly astroturf enough to get people to hate DO (See jsmthrowaway's sibling comment).

I'm less inclined to believe the latter. I'm looking forward to transferring my domains on DO to elsewhere tonight.

[dumbsecreport]

I'm just sharing my experience of what happens when you disclose bugs responsibly.

I'd be happy to share bug tickets with anyone who isn't on some silly chill hunting crusade, for sure, despite my trollish throwaway name.

[jsmthrowaway]

More throwaway astroturfing? You say "20 thousand" the same way as your other likely throwaway account, V8OaSsoA (that is to say: somewhat identifiably) and complained about someone ripping off DigitalOcean's Web design on this account.

I'm doing math on the throwaways that are oddly attracted to this thread. You are making it very obvious that you are almost certainly a DigitalOcean employee across the two throwaways you've created so far, and that's giving me a whole lot of pause on DigitalOcean that I didn't have from reading the incident itself. If you're an employee or, less likely, a superfan, are you sure this is the type of sustained attack you want to levy? It's not making anybody look good.

[hatsix]

Eh, I used '20 thousand' in one of my responses, does that mean I'm the real identity of the throwaways?

Probably not.

[dumbsecreport]

Yeah, if it wasn't obvious enough already, I used that number because it's the one in the headline of the article........

[dumbsecreport]

I really doubt DO would hire me. And any admin could look up what you said and disprove it. I'm not using any proxies or VPN.

[Unbeliever69]

Mmmmm, smell that plastic grass.