undefined | Better HN

0 pointsgrabastic14y ago0 comments

His behavior should not be rewarded.

0 comments

Why? He didn't cause any harm, disclosed quickly, and only acted after being ignored by the framework community (multiple times, it would seem).

It's not even being "rewarded"--it's being "not punished".

Wouldn't you like to have people spot vulnerabilities on your site and report them promptly without also breaking things? Seems a little ungrateful, yeah?

If we are all going to migrate to the cloud and assume our services (no longer under our control) are handled competently, we must place a higher premium on vetting that competency.

grabasticOP14y ago

So if you had a vulnerable product and this gentleman altered one of your customer's pages without permission you would be grateful? That is strange to me.

angersock14y ago

Provided that the he did so and made the change public, and the modification was not malicious?

Yes. I'd even send him a thank-you email, and add him to our list of contributors.

I'd then of course contact the customer (probably over phone, as quickly as possible), explain the vulnerability, explain what happened, and explain how we were fixing it. Then I'd write a post about it, and put it on the front of the site.

That's how you do business.

1 more reply

Mikushi14y ago

Well, if like in this case, he warned me and I told him to "fuck off", I kinda would be grateful, even more like "Should've seen that one coming...".

1 more reply

j / k navigate · click thread line to collapse

0 comments

angersock14y ago

Why? He didn't cause any harm, disclosed quickly, and only acted after being ignored by the framework community (multiple times, it would seem).

It's not even being "rewarded"--it's being "not punished".

Wouldn't you like to have people spot vulnerabilities on your site and report them promptly without also breaking things? Seems a little ungrateful, yeah?

If we are all going to migrate to the cloud and assume our services (no longer under our control) are handled competently, we must place a higher premium on vetting that competency.

grabasticOP14y ago

So if you had a vulnerable product and this gentleman altered one of your customer's pages without permission you would be grateful? That is strange to me.

angersock14y ago

Provided that the he did so and made the change public, and the modification was not malicious?

Yes. I'd even send him a thank-you email, and add him to our list of contributors.

That's how you do business.

1 more reply

Mikushi14y ago

Well, if like in this case, he warned me and I told him to "fuck off", I kinda would be grateful, even more like "Should've seen that one coming...".

1 more reply

j / k navigate · click thread line to collapse