|
|
|
|
|
|
by DangitBobby
483 days ago
|
|
|
> someone tried to help him, he responded by making threats My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat. > You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power. Having the entirety of their application database including customer PII, possibly the capability to encrypt the database and extort the company with it, not to mention the possibility of other potentially undisclosed vulnerabilities, decidedly IS significant power over a company. That's how bad actors are able to use any combination of these things to make money. > Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat. I agree whole-heartedly. As for the rest, we more or less agree, you just are putting the onus on the CEO. I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive to the audience here at HN. |
|
|
Your attempts to put any onus on the researcher are actively harmful. No one should point finger at the researchers trying to help. We should all point fingers at the primary person who's able to prevent bad things happening. You haven't once attempted to put any responsibility on the CEO. This is the first time. You asked in another reply if everyone else is being dense; but you're the one blaming the researcher, did you stop to consider if everyone disagrees with you, that maybe you're the problem?
edit:
> My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
Yeah, and doing that was gross negligence. There's a reason you're not allowed waive harms arising from gross negligence.