Email or username:

Password:

Forgot your password?
Top-level
Tamas K Lengyel

@alex_02 @WPalant @thisismissem I agree, but the reality is that you are better off just ditching that vendor if they won't fix the issue. Then why not publish the issue anonymously? If you aren't going for a bug bounty what is there is to gain by attaching your name to it?

4 comments
DELETED

@tklengyel @WPalant @thisismissem why does disclosing a security issue require to be a bug bounty or publishing it anonymously? Treating hackers and researchers like terrorists is just making things worse and why threats like ransomware gangs have such an easy walk in the park with breaking into networks.

Clover :neocat_3c:

@tklengyel so your proposal is that when someone finds a severe security issue they should just stop using the service themselves then anonymously publish it publicly?

I suppose that is one way of doing things “fuck every company that won’t pay me for finding an issue”.

Though, overall, this would result in more vulnerabilities being exploited instead of fixed before they are exploited by bad actors

@alex_02 @WPalant @thisismissem

DELETED

@tklengyel @alex_02 @WPalant @thisismissem I'm trying to figure out if Tamas is just being disengenuous, or worse. If I were to find a bug in a product from your company (Intel?!), would y'all prefer that I
a) Blast it off into the aether and yolo off into the sunset while bad actors begin exploiting it?
b) Blast it off to what's likely a b0rked 'security@' e-mail address to be seen when the sun rises from the west?
c) Inform you of the problem in a way you can come back with questions?

Tamas K Lengyel

@frainfostudent @alex_02 @WPalant @thisismissem I'm just saying that if a vendor has no defined security reporting policy and/or an active bug bounty don't be surprised if they will be a bad actor in other ways as well. It's a risk at that point, why take it?

Go Up