undefined | Better HN

0 pointsaaronwp4y ago0 comments

Yes, if PII is involved it's common to run an audit like this. In addition to the access keys on the server image, Sega also accidentally published a database export containing PII. In order to write a comprehensive disclosure I have to investigate thoroughly.

And yeah, there's no branding or information on HackerOne. Even if this had been in scope, I would have thought twice about submitting anything. Our publishing standards match HackerOne ethical disclosure standards.

0 comments

phnofive4y ago

Did Sega agree to this public disclosure?

Referring to the HackerOne standards, it appears your team violated a couple:

> Respect privacy. Make a good faith effort not to access or destroy another user's data.

> Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

wwtrv4y ago

Public disclosing it seems to clearly fall under the ‘ Act for the common good through the prompt’ since SEGA’s user are the real victims in this situation and have the right to known that SEGA us incapable of keeping their data safe.

batch124y ago

This sounds similar to justification used by ransomware groups.

1 more reply

tentacleuno4y ago

> Even if this had been in scope, I would have thought twice about submitting anything.

Sorry, I don't understand. Why would you be hesitant to responsibly disclose it to HackerOne?

phnofive4y ago

They didn't know about it beforehand, but even if you visit the page, it says that SEGA Sammy hasn't claimed it, so it appears unofficial.

j / k navigate · click thread line to collapse

0 pointsaaronwp4y ago0 comments

0 comments

phnofive4y ago

Did Sega agree to this public disclosure?

Referring to the HackerOne standards, it appears your team violated a couple:

> Respect privacy. Make a good faith effort not to access or destroy another user's data.

> Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

wwtrv4y ago

batch124y ago

This sounds similar to justification used by ransomware groups.

1 more reply

tentacleuno4y ago

> Even if this had been in scope, I would have thought twice about submitting anything.

Sorry, I don't understand. Why would you be hesitant to responsibly disclose it to HackerOne?

phnofive4y ago

They didn't know about it beforehand, but even if you visit the page, it says that SEGA Sammy hasn't claimed it, so it appears unofficial.

j / k navigate · click thread line to collapse