|
I'll write a full article in a year or two, but here's the short version: some weeks ago, as I was looking for job offers, I found one that was interesting. As I didn't knew the company, I wanted to do my due diligence and check them out.
I open the website and find a ClickFix (the "prove you're not a bot" type) attack on their main page. I spent over 2 hours and a small (but bigger than 0) amount of my own money to report the issue by emailing and even trying to call them (they didn't have any dedicated responsible disclosure page or contact).
After some time, they finally answered my emails, took down the website and "fixed" the issue. When I finally applied for the role, got ghosted for a week and only after I wrote them again, asking for an update, I got rejected as they allegedly were looking for someone more junior - though the job title was explicitly "Senior XXX Lead". Some years ago, I went to interview (in person) at a big European financial institution.
As I got there around lunchtime, I happened to get to the front door at the same time as some employees were returning from lunch who, very kindly, held the door open for me. I was in their office around their computers, unsupervised and unaccompanied, for 10-15 minutes, enough time to plant some O.MG USB-C cables. During the interview, I had a chance to talk to the CTO and told them what happened and how I was allowed access in the office, and immediately saw his face change and quickly change topic, and end the interview. Unsurprisingly, I didn't get the job - I should have probably kept my mouth shut. |