Hacker News new | ask | show | jobs
by autoexec 884 days ago
> Everything after October 18 is a back-and-forth between CERT-In and me trying to determine if there would be a bug bounty reward. TTIBI never responded to the question, so I decided to close the case on December 22 and CERT-In sent me a nice appreciation letter.

If a "leading Insurance Broker across India" can't afford to hire competent developers the least they can do is throw a couple bucks at someone who took the time to identify the multiple severe problems that jeopardized their customers and who notified them responsibly.

The fact that they didn't and still haven't reset the password of the compromised email account blows my mind. Why would I ever trust a company that acts like this to do anything right? It seems like Toyota Tsusho Insurance Broker India should be avoided like the plague.
3 comments
zelon88 884 days ago
I've seen similar levels of incompetence first hand. This isn't someone actively ignoring important security warnings. This is someone not understanding what you are talking about. This is someone who, at a fundamental level, has no grasp of the landscape they are operating in or the challenges they are up against. This is someone who wants you to go away because the jargon you're talking doesn't make any sense to them or their team.

"Please stop sending me these confusing emails. I have important work to do."

The only way to fix this is a "changing of the guard" at the organizational level. The IT boss, and everything he has ever touched, has to go.

link
autoexec 884 days ago
> This is someone who, at a fundamental level, has no grasp of the landscape they are operating in or the challenges they are up against. This is someone who wants you to go away because the jargon you're talking doesn't make any sense to them or their team.

Sounds like exactly the kind of someone you wouldn't want to have to trust with your personal information let alone trust to manage your life/property/business/liability insurance.

link
zelon88 884 days ago
Unfortunately the people in charge of hiring IT Directors often aren't qualified to hire IT Directors.
link
swader999 884 days ago
Don't stop there.
link
dirtyhippiefree 884 days ago
The Peter Principle…people get promoted into incompetence.
link
cduzz 884 days ago
We put peter there.

He's doing the job we put him there to do.

link
dirtyhippiefree 884 days ago
The Peter Principle says people get promoted until they can’t do the job. If you aren’t being promoted to a higher position people wonder about you…

I see your point, did you know it’s a book?

Dang

Harvard Business Review: https://hbr.org/2014/12/overcoming-the-peter-principle

link
cduzz 879 days ago
I'm off-handedly referring to "the gervais principle[1]"

[1] https://www.ribbonfarm.com/2009/10/07/the-gervais-principle-...

link
AndrewKemendo 884 days ago
Most likely there are few alternatives

which likely led to this issue in the first place

link
cwmoore 884 days ago
Unlike other scenarios!
link
AndrewKemendo 884 days ago
You mean most scenarios?
link
semiquaver 884 days ago
That’s a load-bearing password!
link