undefined | Better HN

0 pointsorf4y ago0 comments

You don’t owe companies that don’t invest in security anything. This whole comment smells of upmost naïvete.

It’s a for-profit company without a bug bounty program, in no way whatsoever should they expect someone to work for free to fix issues they created.

The keys are public, they made them public. Do you expect that there are not automated systems trawling apps from the g-play store and doing what he’s doing?

0 comments

3 comments · 3 top-level

mr-wendel4y ago

If this be naïvete, then I'll happily wear that label, and wear it proudly. I've been around enough to have a good sense of the value you create when you make an effort to consider other people's interests, and that seemed absent in the original post. I disagree that this is naïve, however. I've worked with far too many talented people who think the same way to chalk this thinking up to inexperience or simplicity.

That they are a for-profit company is completely irrelevant, as is whether or not they have a bug bounty program. Legal abstractions aside, it's still just people on both sides.

The expectation isn't that the poster work for free. The poster could have easily obscured identifying details and the content of his article would not be diminished. It is my opinion that if he wanted to "show his work", work done of his own initiative, then I think it would be more interesting and useful to include something about attempting to assist in remediation. I think, as mentioned by others, it would make a far stronger argument to click that "hire me!" button than anything in his technical analysis.

Of course automated systems are on the hunt for this stuff. Same with public code repositories, Docker images, and if you operate a subscription-based service with any popularity then your web interfaces for sign-up, login, etc will be subject to well-orchestrated brute force attacks. That someone did a poor job is all the more reason to avoid potentially contributing to their exploitation.

A response within the positive spectrum is absolutely above and beyond. Of all the feedback this community can provide, I think this is the most useful and I'm grateful that the poster has been responsive to it.

Forgeties794y ago

So if you leave your door to your home unlocked and I go ahead and list your address/tell everyone online that the door is ready to be opened, do you blame me or yourself when a dozen people break in that night? Because the way I see it, you’d probably just have come home and realized your mistake with no real consequences if I hadn’t come along.

noasaservice4y ago

I'm sitting there at -3 for what amounts to be an "unpopular opinion" (aside: downvotes/silencing/dead'ing is common here for unpopular but realistic comments in IT, or how dare you offend the techbros, who are invariably writing shitty apps with garbage APIs.)

I've made money from selling exploits to companies. Ive also been cheated out and had bugs downrated so they could pay less. Ive also seen colleagues who reported bugs they inadvertently found get hit with a felony (found not guilty).

Frankly, this company should thank its lucky stars that the disclosure was an 0Day and not "sell this on dark web and have it exploited for 3mo from 1500 accounts and drain the company's coffers".

This person owes the company *nothing*. They found an exploit due to bad API implementation, and wrote about it publicly. If they were in the USA, that's completely in 1fa territory.

j / k navigate · click thread line to collapse