undefined | Better HN

0 pointstptacek6y ago0 comments

We manage bug bounties for a bunch of different startups, and I can count on zero fingers the number of times I've had to use PGP in the past year for that. In practice, people just send bugs with plain 'ol email.

0 comments

nmadden6y ago

I used to get about 1 or 2 PGP-encrypted emails with security bug reports per year when I managed this for my employer. There's a dedicated team that receives security reports now, with email feeding into an automated ticketing system with automatic acknowledgements, reminders, spam filters, PagerDuty alerts, etc. There's a huge amount of tooling and workflow built around email, with a lot of integrations into all kinds of enterprise software. Often the only sane way to trigger all this stuff is to send an email.

So I think the result of removing PGP will be even more plain 'ol email than anything else.

lvh6y ago

It sounds like you’re saying “and that’s why GPG is good”, but I read that as an argument why there’s a very high probability that one of those things is going to spill the beans, plaintext, in an email anyway.

nmadden6y ago

No, I'm not defending PGP. Even without the automation, every PGP-encrypted email almost certainly results in a bunch of internal plaintext emails between employees that could easily accidentally cc the wrong person, etc. I'm just pointing out that the chances of replacing PGP with something genuinely secure for these kinds of use-cases are close to zero.

dunkelheit6y ago

So even Latacora-advised startups use plain old email for bug bounties. Why then does the blog post recommend using Signal for that?

tptacekOP6y ago

Because Signal would be better than the PGP theater. In practice, though, it doesn't matter; people are just going to use plain old email no matter what. They're not going to encrypt their findings to you.

lvh6y ago

Anecdote about said startups: in 2y of the one big bounty that did have a PGP key, we got one PGPd report, and it was “session takeover”: if I copy the cookie out of Burp and into a new Incognito session, I will be logged in. Bounty plz?

We also got super clever reports on that same bounty program. They just sent email.

1 more reply

dewyatt6y ago

> PGP theater

Hmm I don't see it as theater if you are unable to intercept and decrypt my message. Or forge my signature, etc.

j / k navigate · click thread line to collapse

0 comments

nmadden6y ago

So I think the result of removing PGP will be even more plain 'ol email than anything else.

lvh6y ago

nmadden6y ago

dunkelheit6y ago

So even Latacora-advised startups use plain old email for bug bounties. Why then does the blog post recommend using Signal for that?

tptacekOP6y ago

lvh6y ago

We also got super clever reports on that same bounty program. They just sent email.

1 more reply

dewyatt6y ago

> PGP theater

Hmm I don't see it as theater if you are unable to intercept and decrypt my message. Or forge my signature, etc.

j / k navigate · click thread line to collapse