I’m on the verge of giving up reporting security issues because companies don’t really seem to care. They’ll drag you through the weeds to sign up for their bounty program, make you fill a bunch of e-paperwork, then close your report as WONTFIX with an almost canned response without really considering the impact. Ok, so you say it’s expected behaviour, but does that mean it’s correct behaviour?
I understand that it must be exhausting for security teams receiving hundreds of spam reports from “researchers” running crappy scanners, but there are also those of us who put time and effort into genuine reports. When they are closed after 5 mins without even a thanks, I just think I won’t bother next time.
I think we would be in a much better security position globally if white hats were compensated well and protected by law.
My admittedly limited experience with being on the other side of this amounts to receiving a number of reports about email-related DNS records accompanied by bounty requests. I realize there are different kinds of people out there, and reporting of more serious issues would warrant more respect, but it seems like a number of people are just fishing for attention/money/"experience". I really didn't need to be notified by randos that the DMARC policy I chose was "vulnerable". Thank you, I read the RFC already. If and when we do decide to change it, it's up to us and our security posture to decide, not you.
It is almost nice to see I'm not alone in those, I've had some incredibly aggressive contacts from "security researchers" reporting about lack of SPF/DKIM records on personal, and throwaway, domains.
It's the same stuff that used to happen ten years ago regarding "clickjacking", and the lack of X-Frame-Options headers apparently meant the sky was falling, even though my SSL-protected site didn't host user-details, session-details, payment details, or anything other than static brochure content.
> The most basic rule of professional ethics for security research is actually quite simple: We work to protect users first.
lmao yeah sure, im sure you believe that. i think i do too, to a degree.
but anyone who's ever run a bug bounty (for example), knows that there are too many people who are looking for a quick payout, for clout, or even just to be annoying
i think this article is kinda naive in a lot of ways (there's just a ton i can poke at for something so short), but there definitely is a massive cultural problem in product orgs (researchers are often viewed as annoying), the security "industry" (so many researchers are actually annoying), and even propagated by the business side of things ("who would actually do something like this?")
I’m on the verge of giving up reporting security issues because companies don’t really seem to care. They’ll drag you through the weeds to sign up for their bounty program, make you fill a bunch of e-paperwork, then close your report as WONTFIX with an almost canned response without really considering the impact. Ok, so you say it’s expected behaviour, but does that mean it’s correct behaviour?
I understand that it must be exhausting for security teams receiving hundreds of spam reports from “researchers” running crappy scanners, but there are also those of us who put time and effort into genuine reports. When they are closed after 5 mins without even a thanks, I just think I won’t bother next time.
I think we would be in a much better security position globally if white hats were compensated well and protected by law.
My admittedly limited experience with being on the other side of this amounts to receiving a number of reports about email-related DNS records accompanied by bounty requests. I realize there are different kinds of people out there, and reporting of more serious issues would warrant more respect, but it seems like a number of people are just fishing for attention/money/"experience". I really didn't need to be notified by randos that the DMARC policy I chose was "vulnerable". Thank you, I read the RFC already. If and when we do decide to change it, it's up to us and our security posture to decide, not you.
It is almost nice to see I'm not alone in those, I've had some incredibly aggressive contacts from "security researchers" reporting about lack of SPF/DKIM records on personal, and throwaway, domains.
It's the same stuff that used to happen ten years ago regarding "clickjacking", and the lack of X-Frame-Options headers apparently meant the sky was falling, even though my SSL-protected site didn't host user-details, session-details, payment details, or anything other than static brochure content.
> The most basic rule of professional ethics for security research is actually quite simple: We work to protect users first.
lmao yeah sure, im sure you believe that. i think i do too, to a degree.
but anyone who's ever run a bug bounty (for example), knows that there are too many people who are looking for a quick payout, for clout, or even just to be annoying
i think this article is kinda naive in a lot of ways (there's just a ton i can poke at for something so short), but there definitely is a massive cultural problem in product orgs (researchers are often viewed as annoying), the security "industry" (so many researchers are actually annoying), and even propagated by the business side of things ("who would actually do something like this?")
Great blog title, and I agree