[KronisLV]

> I hope he doesn't get caught in litigations.

If you ever discover vulnerabilities, responsible disclosure seems like the only way to try to keep yourself out of trouble and even then only if ignorant people in the company/lawmakers won't misconstrue what has happened and want to put you in jail regardless.

Going on the company Slack, announcing that you're a hacker who has stolen data and finishing your messages with something negative about the company does not seem to be a good way of doing that:

> Hi @here

> I announce i am a hacker and uber has suffered a data breach.

> Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers.

> #uberunderpaisdrives

That feels like opening yourself up to being treated as a criminal, especially if you post about it elsewhere (like social media) and the "breach" gets attention, which might negatively impact the stock price of the company in question.

It's good that many companies out there have bug bounties and hopefully InfoSec will be improved as a consequence of this, but there are better ways about achieving the same result, without putting yourself at so much risk.

[that_guy_iain]

Well, considering what they did was a crime. Being treated like a criminal seems fair.

[KronisLV]

Indeed, which is unfortunate, since there already is a better way to go about this (in most cases): https://hackerone.com/uber?type=team

Except for the social engineering aspect, in regards to acquiring the credentials, however.

Which makes the situation even more problematic.

[parkingrift]

This kind found a power shell script on a shared drive with plain text admin credentials to practically every internal Uber system. How exactly is anyone supposed to submit a bug bounty for that?

[878654Tom]

I sometimes do these bug bounties and some of these are just...

I mean Uber critical max payout is... $15.000. These are bugs that leak out client data and could possible damage the company for millions. I've had companies that argued with me that loss of client data wasn't critical but minor. Some even just give a bounty of $250.

Not that this excuses the behavior of hackers leaking confidential data but companies easily pay millions for anti-virus software that only detects well-known viruses but skimp on zero-days in their own software.

[that_guy_iain]

I’m not sure why people are acting like this was anything but a criminal act that was from beginning to end anything but a security researcher.

Just because it was a teen whole wrote that they stole things.

[boltzmann-brain]

It should be clear that the user you're replying to was using humor.