[mcdwayne]

Yikes. It is sad to hear stories like that, where security is not a concern until panic sets in. :(

Yet another reason we need to adopt standards like security.txt and make it easy to report these things as it is to tell robots to ignore us with robots.txt. See securitytxt.org for more on the project.

[bisby]

It's tough. I'm our public security reporting email list.

We get a lot of things that boil down to "When I go to your website, I am able to see the content of your html files!" ... yes, reporter. That is what a web server does. It gives you HTML files. Congrats that you have figure out the dev console on your browser, but you're not a hacker. I'm trying to go with Hanlon's razor here and assume this is inexperienced people and not outright scams.

We don't get a lot of these, but they far outweigh actual credible reports. But we try our best and take everything seriously until it can get disproven. And it's exhausting. So I get it sometimes. Sometimes having a place for responsible disclosure just opens yourself up to doing more paperwork (verifying that the fake reports are fake). That said, we still do it.

[leesalminen]

> Sometimes having a place for responsible disclosure just opens yourself up to doing more paperwork

100% this. And it bites harder when you’re a scrappy time constrained startup, or just offering a public service.

I maintain a public API that returns public information- observable facts about the world. As such, the API doesn’t have any authn/z. Anyone can use it as little or as much as they want, free of charge.

Of course I get at least 1 email per year telling me my API is insecure and that I should really set up some OAuth JWT tokens and blah blah blah.

I used to reply telling them they are wrong but it gets hostile because they want money for finding the “vulnerability”.

On the flip side, at another company I once got a security@ email that sounded like a false alarm. I quickly wrote it off and sent a templates response. Then they came back with screenshots of things that shocked me. It was not a false alarm. That guy got paid a handsome sum and an apology from me for writing him off.

[bisby]

Or this! It's not just paperwork, but also mental capacity. Having a place for responsible disclosure yields enough "fake" disclosures that you become desensitized to it. Boy who cried wolf style.

It's possible "security isn't a concern" because they are dismissing the report, not the security.

[dinvlad]

I think the fundamental problem is, a lot of orgs just don't care about security, as it doesn't affect their bottom-line. Even breaches are only a temporary hit on the PR. Proper way to address that might just be legislation, with heavy fines based on total revenue.

That and also security is just hard to scale. That's why if it was mandated by legislation, companies would be forced to spend a comparable amount on scaling their security teams and efforts.

[autoexec]

Most respectable services will have an abuse@ address you can contact. They should at least be able to get your issues where they need to go internally. I've had very good results for companies and networks in the US.