[grayhatter]

The OP/researcher looks fine. They tried twice to help someone who would eventually prove they didn't deserve they help. They then, after being disrespected, still upheld all the ethical requirements from a security researcher, redacting sensitive information. The CEO looks like a twat waffle, but the researcher is clean, and just looks like someone intolerant of overt disrespect. Being willing to stand up to bullies is admirable, not disheartening.

[DangitBobby]

I don't know how you could see the CEO as a bully in this situation. The researcher clearly has "power" in this situation over the CEO, he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings, I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.

I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.

[grayhatter]

> I don't know how you could see the CEO as a bully in this situation.

someone tried to help him, he responded by making threats, and being rude. This is bully behavior. Why do you think responding to either email with a direct threat is reasonable?

> The researcher clearly has "power" in this situation over the CEO

You don't work in, or around information security do you? You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power. Without the context, if I told any of my security friends about researchers having power, I'd get a laugh about how absurd that idea is.

> he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings,

Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat. Because when you piss off a researcher, just like the cyclist and the car. We can *both* lose https://gr.ht/i/both-lose.png

> I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.

yeah, couldn't agree more... maybe you should raise your expectations for the CEO who's paid not to be a POS, and actually has a duty to protect users, instead of the random trying to stop bad things happening to people he doesn't know?

> I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.

It's not his responsibility to do any of that, that's the CEOs. Across all your replies, you defend the CEO like he's your brother. Hold *THEM* to the higher standard.

[DangitBobby]

> someone tried to help him, he responded by making threats

My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.

> You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power.

Having the entirety of their application database including customer PII, possibly the capability to encrypt the database and extort the company with it, not to mention the possibility of other potentially undisclosed vulnerabilities, decidedly IS significant power over a company. That's how bad actors are able to use any combination of these things to make money.

> Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat.

I agree whole-heartedly. As for the rest, we more or less agree, you just are putting the onus on the CEO. I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive to the audience here at HN.

[grayhatter]

> I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive.

Your attempts to put any onus on the researcher are actively harmful. No one should point finger at the researchers trying to help. We should all point fingers at the primary person who's able to prevent bad things happening. You haven't once attempted to put any responsibility on the CEO. This is the first time. You asked in another reply if everyone else is being dense; but you're the one blaming the researcher, did you stop to consider if everyone disagrees with you, that maybe you're the problem?

edit:

> My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.

Yeah, and doing that was gross negligence. There's a reason you're not allowed waive harms arising from gross negligence.

[DangitBobby]

The CEO is not here, and will never, ever be here, so criticism of him is not constructive, further the author already criticized him and so do many comments here. It is plain to see he acted like an idiot, and no one thinks he is the hero here. That's why it's not constructive. Maybe my response is actively harmful, I don't know, that's not what I'm after, of course.