[fleitz]

Yes, it does. Customers do not care how the intruder got in only that they got in. Spearfishing is an attack that makes the company look dumb. Leaving the credentials for your source code on the web makes you look even dumber.

To qualify for the bug bounty he should have inserted code into their codebase and then exploited that. Fuck these guys.

[dllthomas]

Flooding communications channels (in particular, mental bandwidth of front-line employees) with attempts to spearfish is an attack that interferes with operations even when unsuccessful. It does not make sense to ask the world at large to persistently try such attacks.

This case is not like that, though.