[weitendorf]

Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).

I’m curious about the legal/reputational implications of this.

I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?

[jeroenhd]

They heard back from the company alright, they DMCA'd the post: https://infosec.exchange/@bobdahacker/115158347003096276

The screenshot of the email lacks detail so I don't know what part of the DMCA the author breached here, but this feels a lot like your standard DMCA abuse.

This AI generated takedown was funded in part by a Y-Combinator: https://cyble.com/press/cyble-recognized-among-ai-startups-f...

[avs733]

Someone should see if YC will fund an ai-first company to help individuals and companies fight back against DMCA abuse and seek compensation

[jagged-chisel]

Interested to hear the financial model for this one.

[avs733]

We’ll use an influencer for example. A false dmca claim has costs for them. Immediate costs in time, demonetizing, and reputation. It also has longer term risks - e.g., copyright strikes become bans. They are incentivized to pushback but have limited tools to do so.

When dealing with a company whose business is filing dmca complaints using an automated system, the business model isn’t a lawsuit - it’s a settlement where the influencer is made whole and you get paid. The risk to the company is existential if you have enough clients using you to push back and risking them getting a platform ban or an injunction against them filing automated dmca complaints. Say they file a thousand complaints a day against a thousand YouTube channels. If even 50 of those channels file a counter claim it’s going to set off alarm bells.

All that being said the most toxic part of this is the company calling itself a cyber security company and trying to obfuscate seemingly pretty responsible disclosures using dmca.

[esseph]

Flat fee, plus percentage of the winnings from damage claims?

[baobabKoodaa]

I did not know Cloudflare treats fake DMCAs the same way as Youtube. Since when!?

[A4ET8a8uTh0_v2]

Can we start discussing 'you can run your own website/cloudflare/isp/backbone' conversation all over again instead of addressing some basic level of fair play?

[beanjuiceII]

cloudflare is a crappy company

[danielheath]

DMCA penalties are so severe that all parties are incentivised to run/use a parallel scheme.

[eduction]

This fits with the complete lack of care for ethics and societal awareness from Gary and Paul on down. They just want companies that can succeed by the usual amoral metrics of Silicon Valley (money). Which is entirely their right, but here is one of the social cost in a form most “hacker” founders can maybe appreciate. (As opposed to a low income resident getting evicted to make way for an illegal Airbnb)

[don_quiquong]

Just imagining the world without Gary Tan and his ilk...

[akerl_]

As a nitpick, you’re describing coordinated disclosure.

Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.

[billy99k]

It is irresponsible. It brings attention to an issue that has not yet been resolved, which will likely lead to users getting data stolen/scammed.

Even the most security-aware companies have a process to fix vulnerabilities, which takes time.

I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.

In the case of bobdajrhacker? Both.

[siffin]

It could never be anywhere near as irresponsible as the original bad security practices, though. At some point, if you wanna make money by handling people's sensitive data, you are the responsible party, not everyone else.

[Retric]

Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.

[kevincox]

Yes, that is why responsible disclosure almost always comes with deadlines. You give the chance for the company to resolve the issue and mitigate user impact. But if they are taking so long that the user impact will be higher than you just disclose.

[akerl_]

What if your assessment is that the user impact is already high enough that the right time to disclose is immediately?

[kevincox]

If you assess that the best time to publicly disclose is immediately then disclose immediately.

But I find that this case is rare. Typically it would be something like many of the following being met:

- It is likely to be discovered by an attacker soon.

- History shows that the company is unlikely to fix it soon.

- Users have some way to protect themselves.

- Your disclosure is likely to reach a significant number of users.

[93po]

users at large have a right to know if their data is being handled recklessly by any person or group, and just because some entity has arbitrary rules and poor communication/practices on how they want to tell them disclosures, it doesn't in any way make it irresponsible to let the public know: hey, your shit is getting recorded and is available for anyone to download and listen to.

[4ndrewl]

Why do you think this? It clearly says that RBI fixed the issue on the day they it was found and disclosed.

It seems pretty reasonable to publish, given that?

[saagarjha]

Are you in a position to hire security engineers?

[jvdh]

It was resolved? In the 'Timeline: The Speed Run' section they list:

"Day 1, same day: RBI fixes everything faster than you can say "code red""

[LadyCailin]

I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.

So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.

[bobmcnamara]

This seems to presume the company is ready and willing to take feedback.

Maybe things are better now.

Years ago the only contact for many companies was through customer service. "What do you mean you're in our computer? You're obviously on the phone!"

[immibis]

Also "Oh, you hacked us? We'll call the police right away. You're going to jail." - followed by you actually going to jail for many years. Sometimes, anonymous, public, uncoordinated disclosure actually leads to the best security outcome in the long run, since security researchers in jail isn't that.

[bobmcnamara]

Yes. I live in a state where a journalist reported a Department of Education system leaking teacher SSNs and the governor sent state troopers after him.

Doing the right thing can be awfully unpleasant.

[bigiain]

> This seems to presume the company is ready and willing to take feedback.

Near the bottom of the blog post it says:

> When | What Happened

> Day 1, same day | RBI fixes everything faster than you can say "code red"

> Credit where it's due – RBI's response time was impressive.

[bobmcnamara]

Oops. I mean that generally my experiences have been less good

[dns_snek]

You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).

I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.

[bobmcnamara]

Agreed.

Cracked a thrift store IoT medical device. Contacted vendor. They sent me a one way NDA. Lol no.

[dns_snek]

I've been trapped in a quasi-NDA on bug bounty platforms too. The vendor just refused to make the report public long after the vulnerability had been fixed, likely to cover it up in case of any resulting damages claims (it was a financial platform and the bug affected withdrawals of customer funds).

The platform knows my identity, publishing the details would be against their terms, there's an implied threat that they could take legal action against me if I published the details, and they even low-balled the severity to avoid paying out the appropriate amount. Awesome experience overall.

[akerl_]

What about users who are affected by the vulnerability in the time it takes between reporting to the vendor and remediation?

[llbbdd]

That's the tradeoff. If you disclose it broadly without a grace period, someone who didn't even know about the vulnerability before will exploit it faster than even the best postured companies can fix it.

[akerl_]

That seems to depend a lot on the vulnerability, and the company, and the users.

I'm not suggesting in this thread that coordinating with vendors is bad. I'm suggesting that to frame any non-coordinated disclosure as inherently irresponsible is bad, and that is what is implied when we use the label "responsible disclosure" for "coordinated disclosure".

[parineum]

What you're describing as branding is actually an opinion. Calling it branding (with it's negative connotations) is putting the thumb on the scale.

[akerl_]

I’m saying out loud “I think rebranding coordinated disclosure as responsible disclosure has negative impacts and we shouldn’t do it”.

Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.

[BrenBarn]

It won't change until there is better regulation with muscular enforcement. Right now the choice is between paying an $X bug bounty and the vague possibility of some problem for not paying a bounty (e.g., someone sues you, or a PR fiasco causes you to lose customers). That basically means a choice between a 100% chance of losing $X right now (to pay the bounty) or an unknown but probably low chance of an unknown but probably high cost later on. Without any specific incentives, most people making decisions at companies will just choose to gamble on the future, hoping that they can somehow dodge the consequences.

To change that calculus, the chance of that future cost needs to go up and the amount of it also needs to go up. If the choice is between a $100k bug bounty now and a $10-million-dollar penalty for a security breach, people will bite the bullet and pay the bounty. If the CEO knows he will lose his house if its discovered that he dismissed the report and benefited financially from doing so, he will pay the bounty.

The consequences need to be shifted to the companies that play fast and loose with customer data.

[risyachka]

This is software.

There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.

[newman8r]

> I’m curious about the legal/reputational implications of this.

The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.

Bad PR move

[weitendorf]

I guess I mean the legal risks to both sides. Security is only a portion of what I do and I only dabble in red teaming (this is the first time I ever tried it on a third party).

So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…

[juujian]

I would argue that it is an ethical thing to do so if it sends a signal to pay whitehats appropriately.

[akerl_]

Who is getting that signal?

Burger King is almost certainly going to experience no damage from this.

Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.

[chimpanzee]

The signal is for the hats. Black hats may be more likely to attack. White hats will find better things to do. Some might even swap hats.

[akerl_]

You’ve described a totally different “signal” than the comment I replied to.

[chimpanzee]

I guess I should have made it clearer by making the implicit explicit:

“The signal isn’t to pay white hats more, instead…”

And perhaps an addendum such as:

“…which will then, indirectly and in the long run, create the signal you were replying to.”

[akerl_]

Ah. I don’t have much optimism that companies like Burger King will ever get that 2nd signal (mostly because I don’t think the average consumer-facing business suffers much impact from this kind of incident), but I agree with your premise.

Appreciate your clarification despite the bluntness of my reply.

[juujian]

Yeah, the signal is not exclusively to Burger King.

[jongjong]

This sucks. As a developer who puts a lot of effort on security, I hate that companies can get away with such negligence.

I hope people invent AI bots which uncover vulnerabilities and make them available publicly for free, in real-time. This would create the right incentives for companies.

Modern software has become a giant house of cards, under the control of foreign powers who possess asymetric knowledge. This is because our overarching legal system protects mediocrity and this gives nefarious skilled people with a massive upper hand, while hurting well-intentioned skilled people who try to build software the right way.

The nefarious skilled people don't need to ask for permission and don't need to convince anyone to make money from their schemes... Well-intentioned skilled people build products which are impossible to sell or monetize because nobody cares enough about security... Companies mostly externalize the consequences of vulnerabilities to their users and leverage market monopolies to keep them.

[hsbauauvhabzb]

You should consult a lawyer. The first thing they’ll probably want to see is the terms you agreed to on hackerone.

[Thorrez]

>Does that mean I can make a post like this?

No. Just because there's a blog post about a fixed vulnerability doesn't imply that it's ok to write a blog post about an unfixed vulnerability.

I'm not saying it's wrong to post a blog post about an unfixed vulnerability. I'm just saying that the existence of a blog post about a fixed vulnerability has no impact on whether it's ok or not to post a blog post about an unfixed vulnerability.

[PaulHoule]

I was about to repost that blog post on another site and now it looks like it was taken down.

[beefnugs]

They want capitalism, give them capitalism. If you can make more money exploiting it and selling to mafias and gangs and nation states. Do it.