[rukshn]

I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.

The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.

Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.

[Permik]

If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.

Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.

[taneliv]

I should have known this exists, yet I didn't. Thanks for pointing it out.

This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...

In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.

[notarobot123]

Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.

[wongarsu]

Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies

The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability

[johnbarron]

It depends on the country apparently:

"Israel reached out to US hackers for ‘Zero Days’ tools" - https://www.timesofisrael.com/israel-reached-out-to-us-hacke...

[paulryanrogers]

Because... your home country or affected company could consider it espionage? Sounds like a stretch.

[reaperducer]

Just to play devil's advocate

Why?

[bauldursdev]

Because information asymmetry benefits those with the information. If the devil understands your argument, and you don't understand the devil's argument, the devil will have information advantage.

[reaperducer]

Not everything in life deserves to have both sides aired.

For example, the Internet giving every crackpot wingnut on Earth an equal voice with scientists is how we end up with measles outbreaks.

[0xDEFACED]

it's a good question

[entropie]

> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.

The CCC (Chaos Computer Club) in germany will probably do the same.

[Imustaskforhelp]

I knew I had heard of CCC from somewhere buts its https://ccc.de which includes the https://media.ccc.de

There are some really decent technical videos on it, CCC is really awesome!

Really loved this talk in particular from CCC: https://media.ccc.de/v/33c3-8314-bootstraping_a_slightly_mor...

[firefax]

Were you somehow able to intuit that parent is Finnish?

I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.

[Aachen]

> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO

Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with

> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.

[firefax]

That now that they've joined NATO, it's safe to share with them.

A "neutral" country might abuse them.

[rvnx]

You now have the worst of both worlds.

You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.

All of that without any benefits.

[Aachen]

If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here

[chadgpt3]

I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.

[Aachen]

> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.

This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was

Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate

As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)

[ahartmetz]

Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.

There are some infamous counter-examples, but you can find these in any country and it's these that make the news.

[PunchyHamster]

Sir, this is not USA, don't assume stuff fucked up there is fucked up everywhere

[embedding-shape]

It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...

[Nasrudith]

That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.

Have you been to the US? If not how can you be certain that the US is truly worse?

[noir_lord]

> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...

You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.

Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).

They just seem to blur the border between nationalism and patriotism more than most countries.

[Barbing]

Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?

[Swiffy0]

Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.

You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...

This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."

[sunaookami]

Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...

[hennell]

I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.

I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.

I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...

[harrouet]

Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.

[hiAndrewQuinn]

2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.

[u8080]

Easy to remember

[mjmas]

Silver anniversary for it

[subscribed]

Do not bother.

I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.

[p0w3n3d]

That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...

[SlightlyLeftPad]

It should be obvious who the real criminals are in this case.

[lionkor]

You could try reporting them (the exploits) anonymously to a government agency

[phartenfeller]

The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.

https://www.ccc.de/disclosure

[Lukas_Skywalker]

They did notify Collins Aerospace in the past, so I assume they do report internationally.

[ranger_danger]

So they can exploit it in secret for their own benefit?

[lionkor]

If you have so little trust in your government (maybe you're American?) it might be time for change!

[ranger_danger]

Considering Snowden files have shown they intentionally hoard 0days, I don't think it's so much a lack of trust as it is a proven track record of their behavior.

[voakbasda]

No shit. Mind telling us how? Because elections sure aren’t going to do it.

edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.

[lionkor]

I agree with the violent upheaval idea.

I believe that all systems which promote and enforce radical patriotism "no matter what" are bound to end up there.

It's also getting more and more difficult for your country to keep allies, what with bombing and assaulting every single possible place for maximum profit extraction. Lots of people in the world have a hatred for the USA (as an entity) that is only paralleled by e.g. Nazi Germany.

The only way to make a change is to get up and make a change, and if you can't because you're that deep in the hole, as you said, violent upheaval.

I really wish that the USA would just wake up one morning and decide to make a change, without violence and bloodshed, to look at other Western countries for inspiration and create a more human society.

[lofaszvanitt]

sell them to a vuln or exploit broker. problem solved.