I dislike it here because I like Mullvad, but yes, I think it’s fair to go straight to public disclosure.
Someone with likely substantial qualifications put in time to find this. The company is in it for profit (at least partially). What’s fair for the company is fair for the individual. The company can either offer to pay for bugs under the terms they want, hire more security folks to find the bugs themselves, or just accept that researches get to do whatever they want with their findings.
I’d tell Mullvad, but there are companies I don’t respect enough to feel compelled to give them a heads up. Perhaps the author feels that way about Mullvad, it’s entirely within their right to use this to publicly shame Mullvad.
Those who do bug bounties full-time ignore programs with no rewards. Those who want to gain experience or pad their resume can submit reports to programs with no rewards because they are not as competitive as those with rewards.
I tried watching that but X either broke their video controls or disabled them so I can’t skip ahead and the first couple minutes are _slow_.
The whole bug bounty thing is a mess, admittedly, but lacking a bug bounty program entirely feels like immediately losing the moral high ground on “you should have told us first”. There’s a lively debate about what bugs are worth, but it’s objectively not $0 for many classes because a botnet developer will buy them for some amount.
Personally, a big part of my view is formed by the educated assumption that security practices will never improve unless poor security becomes a liability. That’s unlikely to happen with “responsible disclosure” because it gets swept under a rug. Immediate public disclosure changes that risk calculus a lot. I think wed see a lot more downward pressure from vendors to their suppliers if $RandomSaaS had to worry about losing their pants because Oracle had a vuln published.
No software is free from bugs. Category of software that undergo extensive verification like aerospace are priced far higher to accommodate the additional QA. If such extensive verification are added to average consumer or even business software, the massive costs will pass down to average users making it too expensive. Security practices need to improve but I don't think 0-day droppers are the answer. Not every threat actor is at the same skill-level. Immediate public disclosure provides them the opportunity to hit endpoints that they would not have hit coz of low skills.
Software is the only field where people will routinely argue producers can’t be expected to make a product that won’t harm its users and I don’t buy it.
The way your argument reads to me is “software as a category has such little utility that profit margins can only be derived from corner cutting”.
The reality of the landscape is that most companies don’t get hacked as the result of an incredible and novel Spectre-esque attack, it’s something bland and entirely preventable.
SAP got a CVE because they just flat out didn’t implement auth on an endpoint in an app architecture that will execute files just for being in a certain directory, and also didn’t prevent writing files to executable paths (or maybe that’s how the feature works, not a SAP person). For every 0 day with a novel root, there are like a thousand that are some kind of humdrum “didn’t enforce auth/SQL sanitation/XSS/other well known exploit with comprehensive solutions”.
I do think there are good reasons to withhold some classes of exploit. If a hacker writes a 14 page proof on how to beat some encryption we had no idea was vulnerable, that’s one thing. Getting owned for making an insecure architecture and then not even putting auth over it is a whole other issue.
Now that I've thought more about it, I agree with you. Most companies fall prey to well known exploits that are not that expensive to mitigate.
I think it's mostly ship product faster > secure product first that leads to such insecure architecture. Ideally, security should be incorporated early in the software development life cycle but most start-ups rarely hire a security guy in the initial phases. https://www.reddit.com/r/indianstartups/comments/1r6zwbg/why... They expect the software devs to have that knowledge. But security hardening is a skill that takes time to develop so most devs just focus on feature development.
Will immediate public disclosures change the mindset of top leadership regarding security? For some, yes but most will not change because breaches have become too common. They reason if top tech firms like Microsoft or GitHub can suffer breaches and come out on the other side unscathed, they too can survive a major security incident.
This ought not be considered anything close to common courtesy. This is work. Mullvad is engaged in the business of making money. They should show how serious they are with your money.
Since when do you have professionals giving you examinations out of common courtesy? Out of courtesy can I get a free cancer screening?
If I doctor performed a cancer screening on me, for free and without me asking, then yes — as a matter of courtesy I would still expect that doctor to tell me if he found cancer, rather than reading about it on his blog later.
>Since when do you have professionals giving you examinations out of common courtesy?
Maybe when they decide on their own volition, without any external pressure, to go and poke around your system?
"Hey, I'm a mechanic, I was looking at your car parked out there and noticed something incredibly dangerous that needs immediate fixing. I'll tell you what it is for $1,000."
Even better, the mechanic writes a blog post about the dangers of non-functioning brakes, but doesn't tell the car owner, because they didn't have a sign advertising their "car issue bounty program".
Seems to be a systemic issue with computer guys feeling entitled to financial compensation for strange reasons. See also, people licensing their software as "open source" and then being mad when people make money off it.
Even better, the mechanic writes a blog post about how the locks on that guy's car don't work, and how anyone could just steal it, but doesn't tell the guy because, after all, the guy wasn't paying him to.
Both of y'all confusing individual with corporate.
The mechanic writes a blog post about how the locks on [a car model] don't work, and how anyone could just steal [cars], but doesn't tell the [car company] because, after all, the [company] wasn't paying him to.
Especially, when the car company spends on 'certifications' (security audits, in this case) and specifically markets it as a differentiator. That said, uncoordinated public disclosures in cybersecurity are bad form, given the well-established existing norms & culture; but at least, let's get analogies right.
Obviously there are a hundred variables that differ between the analogy and the actual situation. You changed one that felt important to you (individual/corporation) but there are still 99 that differ. That's what makes it an analogy instead of just being a retelling of the actual situation.
But yes, if you found a general fault in the locks of a certain car model and publicized it without first informing the company and giving them a fair chance to inform the affected customers, people would probably be annoyed with you. Individuals even, not just companies.
"You chose that car that advertises good locks. Guess what, the locks are actually bad and now I'm gonna publish exactly how, to teach the manufacturer a lesson about paying me money".
When their 'common decency' is directly benefiting a money making corporation with shareholders and directors then yes they should definitely get some money out of it.
If you create a 3rd party app to some closed source insecure back end, thats on you for trusting them or not doing your due diligence.
Time and time again private companies have rug pulled things like api access for 3rd party apps (such as twitter/X). Building 3rd party clients for private systems should already be approached with heavy scepticism and always be prepared for the worst.
Most of HN readers/writers are American, of course they won't do anything unless they personally profit off it, the entire culture is built around this mindset. Meanwhile, Mullvad is Swedish, and we tend to assume we all want to help build a better world together. Mix the two, and you get this conversation :)
So what, suddenly Swedes can't live outside of Sweden? Kind of interesting to make complaints about generalizations and in the same comment falling for the same trap yourself.
> Most of HN readers/writers are American, of course they won't do anything unless they personally profit off it, the entire culture is built around this mindset
American culture is highly varied. For some this is true, for others this is wrong and highly insulting.
It's OK for the country to have a pervasive culture yet not every resident or citizen of the country to be a part of that culture, or even actively work against it. If you're not one of them matching that description, it shouldn't be insulting, as it's not about you in the first place.
Maybe not everything is aimed towards you, especially if you don't feel like the description actually matches you :)
That is a lot of words for "my negative steroetypes about you and your country are fine, actually. Don't take it personally, bro. Maybe you're one of the few good ones!"
Every time someone makes a cultural comment here, the reply is always "America is a big country". America can be a big country and still have common cultural elements. It's not inaccurate to say that citizens of a large country mostly share some common characteristics. Those characteristics are what makes them one country.
Someone with likely substantial qualifications put in time to find this. The company is in it for profit (at least partially). What’s fair for the company is fair for the individual. The company can either offer to pay for bugs under the terms they want, hire more security folks to find the bugs themselves, or just accept that researches get to do whatever they want with their findings.
I’d tell Mullvad, but there are companies I don’t respect enough to feel compelled to give them a heads up. Perhaps the author feels that way about Mullvad, it’s entirely within their right to use this to publicly shame Mullvad.