|
|
|
|
|
|
by Nextgrid
237 days ago
|
|
|
What he did there could indeed be legally risky. Remember that while for a lot of us this kind of security research & remediation is “fun”, “the right thing to do”, etc there are also people in our industry that are completely incompetent, don’t care about the quality of their work or whether it puts anyone at risk. They lucked their way into their position and are now moving up the ranks. To such a person, your little “security research” adventure is the difference between a great day pretending to look busy and a terrible day actually being busy explaining themselves to higher ups (and potentially regulators) and get a bunch of unplanned work to rectify the issue (while they don’t care personally whether the site is vulnerable - otherwise they wouldn’t have let such a basic vulnerability slip through - now that there is a paper trail they have to act). They absolutely have a reason and incentive to blame you and attempt legal action to distract everyone from their incompetence. The only way to be safe against such retaliation is to operate anonymously like an actual attacker. You can always reveal your identity later if you desire, but it gives you an effectively bulletproof shield for cases where you do get a hostile response. |
|
|
Even if they do care personally (which I would assume is often the case if the respect person is not an ignorant careerist), they often don't have the
- organizational power
- (office-)political backing
- necessary very qualified workforce
to be capable of deeply analyzing every line of code that gets deployed. :-(