I don't think you get to call yourself polite or well-meaning when you pan them and air their shit out publicly after they respond in a way you don't like. Maybe you were superficially polite, but you do not come across as an angel. I _still_ don't know exactly what your goals are, if you're looking for acknowledgement, payment, or just trying to make the Internet a safer place for users.
I think the around 50 public disclosures I did in the last year where I asked 0 times for anything kinda show I'm not looking for any payments.
There is a huge issue regarding publicly exposed data that no one seems to want to acknowledge or talk about, what you see online? It's 100 times worse.
I'm someone who is trying to raise awareness through my finds, nothing else.
Also I was initially polite to the company, not once but twice, as I am to anyone who I reach out, why wouldn't I be? I want them to fix the issues, not ignore me.
Don't expect the politeness to be infinite though, specially when you start accusing me of harassment and lying about the severity of the exposure that affects thousands of people, the ones I DO care about, not the companies.
Sure you do. The poster was polite, got an extremely rude response, and has no obligation to be polite afterwards.
Airing their shit out is a disclosure of a vulnerability, and it's important to do. Typically you reach out to say, "how would you prefer I do this?" And work through a common understanding. The company flipped the bird, so it got aired very publicly.
I can call myself a bicycle but I don't have any wheels.
Their behavior when things don't go their way belies their initial "politeness". When the transaction didn't go how they wanted, they pulled the trigger on being a dick, publicly. That is a much worse offense that an impolite email. If this were a coworker or a contractor, it would color all of my interactions with them going forward.
> they pulled the trigger on being a dick, publicly. That is a much worse offense that an impolite email.
brain dead take; the article was impolite, the email was an overt threat by an impotent exec *in response to someone trying to help*!
Dang it bobby, it's not worse to respond to respond to asshattery (the email) with irreverent sunlight (the article).
I also wouldn't call you a bicycle because you're not going anywhere with this attitude. The CEO got a gift, and the author got a middle finger. No matter what happens after, the CEO without a doubt shot first. And shot someone just trying to help. He can get fucked, and anyone defending him can join in too.
I'm not defending him so much as advocating for understanding, grace, transparency, and de-escalation. You of course are welcome to conduct yourself in the ways that you see fit.
Agree. "You're not wrong, Walter, you're just an asshole!" Best case scenario, CEO just got an annoying distraction that was a credible enough threat they had to waste time investigating. Worst case they had a breach and someone is extorting or hacking them. Some grace on the part of the researcher is warranted IMO, despite the amateur handling by the CEO. No one looks good here.
The OP/researcher looks fine. They tried twice to help someone who would eventually prove they didn't deserve they help. They then, after being disrespected, still upheld all the ethical requirements from a security researcher, redacting sensitive information. The CEO looks like a twat waffle, but the researcher is clean, and just looks like someone intolerant of overt disrespect. Being willing to stand up to bullies is admirable, not disheartening.
I don't know how you could see the CEO as a bully in this situation. The researcher clearly has "power" in this situation over the CEO, he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings, I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.
I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
> I don't know how you could see the CEO as a bully in this situation.
someone tried to help him, he responded by making threats, and being rude. This is bully behavior. Why do you think responding to either email with a direct threat is reasonable?
> The researcher clearly has "power" in this situation over the CEO
You don't work in, or around information security do you? You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power. Without the context, if I told any of my security friends about researchers having power, I'd get a laugh about how absurd that idea is.
> he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings,
Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat. Because when you piss off a researcher, just like the cyclist and the car. We can *both* lose https://gr.ht/i/both-lose.png
> I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.
yeah, couldn't agree more... maybe you should raise your expectations for the CEO who's paid not to be a POS, and actually has a duty to protect users, instead of the random trying to stop bad things happening to people he doesn't know?
> I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
It's not his responsibility to do any of that, that's the CEOs. Across all your replies, you defend the CEO like he's your brother. Hold *THEM* to the higher standard.
> someone tried to help him, he responded by making threats
My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
> You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power.
Having the entirety of their application database including customer PII, possibly the capability to encrypt the database and extort the company with it, not to mention the possibility of other potentially undisclosed vulnerabilities, decidedly IS significant power over a company. That's how bad actors are able to use any combination of these things to make money.
> Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat.
I agree whole-heartedly. As for the rest, we more or less agree, you just are putting the onus on the CEO. I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive to the audience here at HN.
> I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive.
Your attempts to put any onus on the researcher are actively harmful. No one should point finger at the researchers trying to help. We should all point fingers at the primary person who's able to prevent bad things happening. You haven't once attempted to put any responsibility on the CEO. This is the first time. You asked in another reply if everyone else is being dense; but you're the one blaming the researcher, did you stop to consider if everyone disagrees with you, that maybe you're the problem?
edit:
> My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
Yeah, and doing that was gross negligence. There's a reason you're not allowed waive harms arising from gross negligence.
Not sure if you read my 2 emails to the company but I would say I was polite to them and was met with accusations of harassment and straight up lies.
Don't expect me to pat you in the back if you come at me with such claims when I simply alerted you of a security issue.