[jdefr89]

Vulnerability Researcher here… Unless your target has a security bounty process or reward; leave them alone. You don’t pentest a company without a contract that specified what you can and can’t test. Although I would personally appreciate and thank a well meaning security researchers efforts most companies don’t. I have reported 0days for companies that HAVE bounties and they still tried to put me in hot water over disclosure.. Not worth the risk these days.

[belorn]

We had a situation in Sweden when a person found that if you remove a part of the url (/.../something -> /.../) for a online medical help line service, they got back a open directory listing which included files with medical data of other patients. This finding was then sent to a journalist that contacted the company and made a news article of it. The company accused the tipster and journalist for unlawful hacking and the police opened a case.

But was it? Is it pen testing to remove part of an URL? People debated this question a bit in articles, but then the case was dropped. The line between pen testing and just normal usage of the internet is not a clear line, but it seems that we all agree that there is a line somewhere and that common sense should guide us in some sense.

[operator-name]

This wasn’t a pen test? It was a drive by “oh fuck the platform I’m using is completely insecure”.

[bonoboTP]

You walk past a ministry office and notice that there is nobody at the door checking people entering, you walk in, you find an office door open, many binders on the shelves, nobody present. You read through the binders, pull out the drawers and see private info etc. You then walk out and send a mail about this. What do you think is going to happen?

[pr4296]

I think it's more like there's a binder lying in the street outside the ministry office and you pick it up and see that it has private info.

[michaelteter]

This dive instructor was using this insurance company for his clients, and thus had a responsibility to prevent any known risk (data privacy loss in this case).

So he had two options: take his clients and his business to another insurer (and still inform all his current and previous clients about their outstanding risk), or try to help the insurer resolve the risk.

[1970-01-01]

Good guideline advice but it seems you didn't read the article. Their personal data was at risk here. Leaving them alone would very likely result in a breach of this person's data. Both he and you have an ethical responsibility to at minimum notify the business of this problem and follow up with it.

[stevefan1999]

I also guess you haven't read the article too:

> And the real irony? The legal threats are the reputation damage. Not the vulnerability itself - vulnerabilities happen to everyone. It's the response that tells you everything about an organization's security culture.

See. The moral of the story is that the entity care more about their face than the responsibility to fix the bug, that's the biggest issue.

He also pointed out bugs do happens and those are reasonable, and he agreed to expose them in an ethical manner -- but the goodwill, no matter well or ill intentioned, those responses may not come with the same good tolerations, especially when it comes to "national" level stuff where those bureaucrats knows nothing about tech but they knew it has political consequences, a "deface" if it was exposed.

Also, I happened to work with them before and know exactly why they have a lot of legal documents and proceedings, and that's because of bureaucracy, the bad kind, the corrupt kind of bureaucracy such that every wrong move you inflicted will give you huge, if not capitcal punishment, so in order to protect their interest, they rather do nothing as it is unfortunately the best thing. The risk associated of fixing that bug is so high so they rather not take it, and let it rot.

There's a lot of system in Hong Kong that is exactly like that, and the code just stay rotten until the next batch of money comes in and open up new theatre of corruption. Rinse and repeat

[kortilla]

That’s not how it works. You are not ethically responsible to hack every company you interact with.

[1970-01-01]

No, that's exactly how it works when you're Certified.

https://www.giac.org/policies/ethics/

"I will protect confidential and proprietary information with which I come into contact."

[mbrumlow]

GIAC has zero authority, any group of people can get together and make their own policies and print a nice little certificate when somebody applies.

[kortilla]

No it’s not. Unless you’re certified by the government that carries no weight.

That’s no different than “sovereign citizens” claiming they have rights to drive without licenses.