[ziddoap]

>They should have linked to their website where they publish reports, and been more plain about their intentions from the outset.

I don't get this. Their intentions should be clear by the fact that they reveal the entirety of the issue (what's wrong, why it's wrong, where to find it) in the first email. They don't ask for money, hide information behind further correspondence, or anything else that would raise suspicion.

The company has everything they need to locate, verify, and fix the issue without having to ever interact with the security researcher again. That's about as obviously well-intentioned as you can get.

[quesera]

Like I said, it was "good", and better than most.

But as the reader of lots of these emails, I'm always happier to hear from someone who is able to establish their credibility and intentions with public evidence from the beginning of the conversation.

I'd like to know that I'm dealing with a professional, who takes their work seriously. And I'd like to know if I'm going to be dealing with fallout from next month's feature article as a matter of course, or if I'm being extorted to avoid publishing. (This is a thing).

[ziddoap]

>establish their credibility

>I'd like to know that I'm dealing with a professional, who takes their work seriously

As a sender of these emails, my credibility is established when you go to the location I say there's sensitive data being leaked, and you find sensitive data being leaked. Nothing else should matter.

Are you just going to keep data exposed publicly if, for example, some curious kid notified you instead of a professional?

Hostility to good-faith security research, as shown in the OPs article and in some of the comments here (not specifically you), makes everyone worse off.

Having myself received hostility, demands to prove my credibility, and legal threats when sending notifications like OPs, in most cases now I don't bother to notify anyone. Instead, the data just sits there, accessible to the actual bad guys. Hurray!

[quesera]

No, your "correctness" is established. The credibility of your report is established.

But your credibility as a professional non-extortionist is absolutely still in question, unfortunately.

Again, I've been on both sides. Being the only professional in the room is sometimes the way things work out. But that's OK, because you can walk away from the conversation still being the professional, and they cannot. This pays dividends.

I've run across people years later who apologized for being a jerk in our previous exchange. They were under pressure, didn't fully understand, felt insecure, blah blah whatever who cares. But they realized their error and got smarter for it. And I gained their respect. That doesn't work if you don't stay professional.

[ziddoap]

If I'm asked to be more professional or to prove my credibility to someone leaking the data of their customers, I just laugh. I owe nothing to the company being negligent. A notification email with all the pertinent details is what you get.

If a company isn't going to act on it after confirming my "correctness" just because they want me to show them my diploma and resume, that says a lot more about the company than it does me.

But don't fret, as I said the number of companies that forced me to jump through hoops to report a security issue, or threatened me after reporting one, has made it so I don't often bother anymore. Hopefully someone with a more professional tone emails instead, before the data gets sucked up by Lazarus Group or whoever.

[quesera]

I think we're talking past each other.

Of course you don't owe them anything. And the disclosure is a gift, unless you also use it for self-promotion, which is the usual compensation model aside from bounty programs.

But if you want to improve the ratio of reasonable-to-hostile responses, it's worth spending an extra couple minutes composing your presentation in the most digestible way. Also it's good for business.

If you're serious about helping to improve the net, or being a good netizen, you'll understand that recipients come in all shapes, and you have the best chance of achieving your goals if you make a small extra effort.

If you're at all worried that your report will evoke a hostile response, you always have the option of reporting it anonymously. I've done this, and it does work (vulnerability gets fixed).

Or if you just want to laugh at the colossal morons who don't take you as seriously as you believe you deserve, then sure whatever.