[aaronwp]

Yes, if PII is involved it's common to run an audit like this. In addition to the access keys on the server image, Sega also accidentally published a database export containing PII. In order to write a comprehensive disclosure I have to investigate thoroughly.

And yeah, there's no branding or information on HackerOne. Even if this had been in scope, I would have thought twice about submitting anything. Our publishing standards match HackerOne ethical disclosure standards.

[phnofive]

Did Sega agree to this public disclosure?

Referring to the HackerOne standards, it appears your team violated a couple:

> Respect privacy. Make a good faith effort not to access or destroy another user's data.

> Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

[wwtrv]

Public disclosing it seems to clearly fall under the ‘ Act for the common good through the prompt’ since SEGA’s user are the real victims in this situation and have the right to known that SEGA us incapable of keeping their data safe.

[batch12]

This sounds similar to justification used by ransomware groups.

[rectang]

Only under the most carelessly superficial analysis.

Is there any limit to the vast, systemic negligence and enabled criminality which can be excused away into nothingness because the circumstances under which they were made public were problematic?

This isn't a criminal prosecution of the company who was irresponsible with user data. If the people who exposed the negligence screwed up, that doesn't mean we have to act as though that the negligence ever happened.

Demonizing the messenger while remaining silent about the message is a choice.

[batch12]

Mostly agree. It is unfortunate that the methods used by the messenger add distractions to the situation.

The point I am trying to make is the ends don't absolve the hacker from consequences. Ransomware operators often blame their victims for poor security and frame their actions as security-as-a-service.

[rectang]

> The point I am trying to make is the ends don't absolve the hacker from consequences.

I agree on this point. I see it as analogous to holding your allies to a standard that your adversaries are unwilling to uphold.

In this case I categorize both black hats and toxic data hoarding companies (including their techie apologist employees) as "adversaries" (though I don't assert you agree with my assessment).

> Ransomware operators often blame their victims for poor security and frame their actions as security-as-a-service.

Despicable victim blaming by the very party doing the victimizing.

I understand why advertising a VPN service can be seen as analogous, even if the scale of profiteering is not comparable.

The argument against toxic data hoarding is easier to make when untainted by exploitative profit motive.

[tentacleuno]

> Even if this had been in scope, I would have thought twice about submitting anything.

Sorry, I don't understand. Why would you be hesitant to responsibly disclose it to HackerOne?

[phnofive]

They didn't know about it beforehand, but even if you visit the page, it says that SEGA Sammy hasn't claimed it, so it appears unofficial.