|
|
|
|
|
|
by wellthisisgreat
479 days ago
|
|
|
Usually like reading such posts but the author’s approach did seem very blackmail-like. The CEO is surely coming off as a crazy guy but the author isn’t a white knight or good Samaritan either. The company closed the database access and the guy says “now I will disclose it or you can do X”
Would he have not disclosed it if they offered hush money? We won’t know, for his case I hope not. In any case - what was he expecting? I’d imagine there is 50%+ chance that any smaller company without a dedicated security team will take this disclosure as a threat and blackmail. Especially that on the first second and third thought it seems the disclosure would be a way for the author to boost their blog and content marketing for their consulting. If there was a bug bounty or something on their site it would have been different. |
|
|
A bog-standard responsible disclosure that any tech CEO should either be familiar with or have someone at hand that is, as is clearly communicated in that e-mail.
Both e-mails are OP reaching out to help this company out, the first fixing the vulnerability, the second giving them a chance for compliance / potential regulatory aspects they might want to follow. It's not on random people reporting security vulnerabilities to tutor random companies on this and both behaviors (non-responsiveness, then hostility) of this CEO, despite being sadly common, are actively harmful if you want to get productive security reports in the future. (And the company unilaterally signing up for bug bounty programs is rather irrelevant for independent researchers as well if they have no interest in participating in those.)