undefined | Better HN

0 pointsTallGuyShort11y ago0 comments

Exactly. I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug. But you know what? I don't want to go down there and talk to them because I'm quite certain they'll call the police because I "hacked into their systems".

0 comments

derefr11y ago

There should be a security equivalent to hiring a lawyer to write strongly-worded letters for you.

Maybe someone could set up a firm where individuals could hand them a vuln report, and then the firm would contact the vulnerable company on the individual's behalf. The firm would do the long, boring dance of "we suspect you're vulnerable to X, though we haven't tested it, but we'd like to do a free vulnerability test on you, so please sign this liability waiver", both protecting the individual from liability, and taking time the individual doesn't have. In return, if the company gives rewards, the firm could take a percentage.

eric_cc11y ago

So you pay money to hire somebody to send a company a letter informing the company of the companies problem in hopes that maybe, just maybe, the company will reward the the firm a small sum of money and you will get a small amount back.

I think you have a winner on your hands.

ithkuil11y ago

I might be living in a country with very few banks (3). I may benefit from letting them know about a security issue, especially if because of that issue I could potentially go to jail

I may not have the option of changing bank because the others are even worse.

however I don't know how much I would pay for that. Probably some kind of class action would work.

derefr11y ago

They wouldn't be doing it for the money. The EFF would be a good example of a firm that could take this practice up.

1 more reply

Semaphor11y ago

> I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug.

Just remember, many sites use the old certificate expiration even though they generated new certificates which shows up as a false positive on the checking tools.

VikingCoder11y ago

One idea: Call your local newspaper with an anonymous tip?

borski11y ago

To be fair, there are some that respond more graciously than others, but it's entirely unclear.

AJ00711y ago

If you are a bank, and you haven't fix one of the worst and widest reaching security holes in years by now.. well. Criminal negligence would be an appropriate description.

bananas11y ago

That's what pastebin is for.

j / k navigate · click thread line to collapse

0 comments

derefr11y ago

There should be a security equivalent to hiring a lawyer to write strongly-worded letters for you.

eric_cc11y ago

I think you have a winner on your hands.

ithkuil11y ago

I might be living in a country with very few banks (3). I may benefit from letting them know about a security issue, especially if because of that issue I could potentially go to jail

I may not have the option of changing bank because the others are even worse.

however I don't know how much I would pay for that. Probably some kind of class action would work.

derefr11y ago

They wouldn't be doing it for the money. The EFF would be a good example of a firm that could take this practice up.

1 more reply

Semaphor11y ago

> I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug.

Just remember, many sites use the old certificate expiration even though they generated new certificates which shows up as a false positive on the checking tools.

VikingCoder11y ago

One idea: Call your local newspaper with an anonymous tip?

borski11y ago

To be fair, there are some that respond more graciously than others, but it's entirely unclear.

AJ00711y ago

If you are a bank, and you haven't fix one of the worst and widest reaching security holes in years by now.. well. Criminal negligence would be an appropriate description.

bananas11y ago

That's what pastebin is for.

j / k navigate · click thread line to collapse