[grayhatter]

Step 6 happened because the CEO in his hubris, decided it would be in his best interests to threaten someone instead of being greatful.

Additionally, had the CEO responded appropriately and followed the standard methodology of all reasonable bug bounty programs, it would have included a request for the researcher to verify the fix and that there are no additional related bugs or defects with the current patch.

You noticed that the email implies the security has been perfected. Did you also note that it would be unethical for a professional to blindly convey that false belief.

[tptacek]

I'm wondering how it's possible that step 6 happened, not what the motivations are. It's written in multiple places as if database queries were issued after the database was taken down.

[TremendousJudge]

I think the data he discloses in the post is the one that he got before getting in contact with the company. He does this in order to prove that the database was accesible to anyone on the internet, instead of the "no breach at all" claimed on the response email.

[tptacek]

He writes as if he has access to large quantities of data after the CEO responded to him, which implies that it was after the exposed database was fixed, as the author acknowledges in the email he sent to the CEO.

[JayeLTee]

No I did not query the database after it was exposed.

The information I had was from when the database was publicly exposed.

I don't want to be too specific about the links for the files as I don't know if others accessed this information and could exploit it but they had the website path to download the files exposed on the database, you just needed to know what to add to it, I tried a few things from the information I had and found out they worked.

I would of probably skipped over this, but after their response I wondered if there was more to it.

The files were not stored on the database, they were on a cloud storage but that link made it so no authentication was required to access them (not an expert but would say some hard coded access keys or something similar).

[JayeLTee]

No I did not query the database after it was fixed.*

[grayhatter]

Did you not consider the CEO would just lie about fixing something?

[tptacek]

I assume the author isn't lying when they acknowledged that it had been.

[grayhatter]

I'm lost, what are you referring to? The author references the claim by the CEO, and then goes on to prove it was a lie.

That's a very common linguistical pattern.

[tptacek]

The email that the author sends to the CEO, in which his rationale for immediate disclosure is the fact that the database was fixed.

[grayhatter]

To which the CEO was rude and dismissive and threatening. Which is often a sign of having something to hide. I assume the author decided to then verify if the threats were made from a position of strength or weakness.

I read his email as a polite gesture, giving them a chance to request more time. I'm still confused as to what parts you're missing. Are you trying to imply something, or do you really not understand that people can lie and withhold information?