|
|
|
|
|
|
by tptacek
2112 days ago
|
|
|
It's pretty silly to suggest that a state-level adversary needs the help of the person who stumbled across the baked-in credentials in an obfuscated Python binary to accomplish a CNE task. If a state wants to target Tesla, someone will submit a petty cash request to contract someone else to develop Tesla vulnerabilities. If you're able to sell a Tesla vulnerability to the supply chain of a state-level actor, it's probably because they're already actively exploiting Tesla vulnerabilities. By the time random discoveries like this are part of the supply chain, the supply chain is already chugging along. I think a good rule of thumb is that no serious actor --- not a state, not a crime ring, not a competitor --- does speculative engineering to accept and operationalize a third-party vulnerability. If they're buying, it's because they already have an operational infrastructure to drop the bug into. When you're figuring out the dollar value a vulnerability has, start by telling yourself the story about the entity that already has a bug just like it, is exploiting it for some articulable purpose, and wants a replacement or 10 in the hopper for later. (I don't think this is a perfectly reliable heuristic, but it's where most of this kind of thinking should start). |
|
|
I didn't mean they'd want your help. I meant you might end up on some hacker watchlist. You'll get extra attention and scrutiny from government agencies which wouldn't have much upside IMO. Maybe at airports you'll be randomly selected more often so security agencies can look at your devices and try to clone them.
Would you really feel 100% comfortable going to China after being in the news as the person that could have controlled the entire Tesla fleet? I think there are hard to measure social costs for gaining that kind of notoriety and current bug bounty programs aren't properly compensating for them.