Hacker News new | ask | show | jobs
by phoronixrly 8 days ago
How many CFAA cases have to be filed in order for people to stop (gratuitously) reporting security vulnerabilities to corporations? Just stop, you don't owe them that, and it always comes off as an attempt at blackmail. If you care so much about their users, report to security authorities instead.
2 comments
russdill 8 days ago
The "security authorities"? Who exactly is that? And what action are the expected to take?

Responsible disclosure is not gratuitous, it's not blackmail. It is a standard industry practice. And the entity you notify is the vendor.

link
phoronixrly 8 days ago
See EU CSIRT network, CISA for US unless it got deleted by the current management.
link
russdill 8 days ago
CISA advocates for responsible disclosure an links directly to documents telling you how to do so such as https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_in_...

That of you locate a vulnerability, you should contact the vendor and that "In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability"

I get the weird feeling like you have a dog in this fight

link
phoronixrly 8 days ago
No skin in the game apart from personally making the same naive mistake
link
SwellJoe 8 days ago
Wtf are "the security authorities"?
link
phoronixrly 8 days ago
See EU CSIRT network, CISA for US unless it got deleted by the current management.
link