undefined | Better HN

0 pointsrefulgentis2y ago0 comments

They reworded things since yesterday:

Before, one collaborator had them in a chat sneering about chattr, checking their Javascript, then getting a GUI pwn tool for firebase.

i.e targeted attack with malice, followed up a blog post wildly exaggerating what happened, with a disclosure policy of 'we emailed them once and they fixed and didn't email us back so we'll just publish'

Only spelling this out because it's important to point out the significant gaps between white hat culture and these actions, not only for the authors, but for people who are inspired and want to practice it

0 comments

3 comments · 1 top-level

internetter2y ago· 2 in thread

> Before, one collaborator had them in a chat sneering about chattr

"Wow this thing looks crappy"

> checking their Javascript

"I wonder if it is crappy"

> then getting a GUI pwn tool for firebase.

"Huh, it seems crappy. Let's just check to be sure"

> with a disclosure policy of 'we emailed them once and they fixed ...'

"Well, this thing is really crappy. we don't want to harm people. Let's tell them about how crappy it is to avoid harm"

> and didn't email us back so we'll just publish'

"They fixed the thing, nobody will be harmed. We still think it's crappy so let's talk about it"

Why wouldn't they go public at this point? They've gotten nothing else out of it, and since the issue has been fixed there is zero harm to customers. Do you propose they go like

"Hey company, we found this really embarrassing thing you did. I see you fixed it now, so can we talk about it"

silence

"Oh well the company didn't say anything so we won't talk about it. So sad"

In what world do we not hold companies accountable? In what world do we blame the people who find these issues for free?

refulgentisOP2y ago

Note I'm not claiming disclosure is bad, but rather, this is a copy of a copy of a copy of a copy of a copy of a copy of how professionals handle these situations, to the point there's nothing left except the "1) pick a target 2) email them 3) write a blog post when fixed" parts.

internetter2y ago

What other steps have their ever been? Getting a CVE?

1 more reply

j / k navigate · click thread line to collapse