[chaps]

His experience is similar to one I had a long while back when trying to report to Comcast that I found one of their sysadmin's home directory on GitHub. It had ssh keys, passwords, configs, scripts, etc etc. When I reported it on their support forum, some random dude responded basically saying I found nothing, insulting me, etc. It's wild to me how quickly people will go to insult in these situations.

I ended up making a big stink elsewhere and they got the repo down. Funny enough, their heads of security told me they'd use my disclosure to push the execs into building a big bounty program. Long story short, their CISO told me on the phone that what I found wasn't a "bug", and that if they did a bug bounty program, they'd go bankrupt.

[dakial1]

> if they did a bug bounty program, they'd go bankrupt.

Ha! Classic Telco. I've seen some in my country and they are an impressive mess of legacy (and many times redundant because of all the M&Âs) applications and undocumented integrations made by an army of low paid outsourced integrators.

Also, low effort mode overall, like your CISO friend there, who probably just wants to survive for sufficient time too jump ship.

His bug bounty speech doesn't hold, as they can start with a very low bounty and increase over time to get the interest of higher skilled people and reach more complex bugs, having total control over spending.

Also, Black hat experts probably have those already mapped and are selling them to the highest bidder, and with privacy regulations getting stricter that "bug bill" will come to them sooner or later.

[0xbadcafebee]

> if they did a bug bounty program, they'd go bankrupt.

I believe it. When I worked for them a few years ago, their internal security was pretty bad, and they had tons of random teams with no security guidance, governance, etc. I think the only reason they could operate at all is nobody is trying to hack them. It might be a little bit better now, but knowing the scale and state of things, there's no way they've magically knitted everyone up into properly managed AWS Organizations, to say nothing of actually supporting individual teams' security needs.

The "good news" about your discovery is that it probably was limited to just one tiny system, because everyone maintained completely independent systems and didn't have access to anything else - not because they weren't allowed, but because you didn't even know what other systems there were, much less know how to request access, and virtually nothing internally used SSO. The only way to learn about what other systems there were was to walk around the floors of the Comcast Building and ask random people what they do.

[0xdeadb00f]

> Long story short, their CISO told me on the phone that what I found wasn't a "bug", and that if they did a bug bounty program, they'd go bankrupt.

I have no sympathy for these companies. Fix your shit, secure your users. Don't? Well I guess I'm posting these non-bugs all over the net for criminals to enjoy.

[Cthulhu_]

> if they did a bug bounty program, they'd go bankrupt.

I appreciate the honesty! I do think that any company that offers a bug bounty program already has their security in order, to the point where they can no longer find any obvious issues themselves anymore. Not having a bug bounty program implies they don't really trust themselves yet, or haven't reached that level of maturity yet. That probably covers most companies though. I know the codebase I inherited at my current employer wouldn't pass even the most superficial security check. Its only line of defense is that it's only on private networks. Until it isn't. I wonder if I should do a google to look for any public instances... just did, I'm only finding a lot of search engine spam thankfully.

[chaps]

Personally, I didn't find the conversation "honest", even loosely.

[encryptluks2]

Comcast is the worst! Seriously, just a terrible company all around. How long ago was this BTW? I think they've had an undisclosed security breach, but this may help prove it.

[chaps]

Probably back in 2016.

[encryptluks2]

Ah, thanks but nevermind then. This disclosure would have taken place around November or December of 2021.

[AlwaysRock]

> and that if they did a bug bounty program, they'd go bankrupt.

This is why the bad guys win so often. Even companies that do pay bug bounties often pay very little compared to what exploits could be sold for.

[Aeolun]

Logically, if nobody reports any bugs, there must not be any!