I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
someone tried to help him, he responded by making threats, and being rude. This is bully behavior. Why do you think responding to either email with a direct threat is reasonable?
> The researcher clearly has "power" in this situation over the CEO
You don't work in, or around information security do you? You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power. Without the context, if I told any of my security friends about researchers having power, I'd get a laugh about how absurd that idea is.
> he pretty much has caught him with his pants down, so in this case the CEO is lashing out at a perceived threat. You are entitled to the opinion that the researcher responded proportionately in this situation, I happen to disagree. I would not want my friends or coworkers responding this way in their daily dealings,
Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat. Because when you piss off a researcher, just like the cyclist and the car. We can *both* lose https://gr.ht/i/both-lose.png
> I would want to give someone a chance to make amends instead of escalating, because this is not a playground and the stakes for the CEO are very real and potentially very damaging.
yeah, couldn't agree more... maybe you should raise your expectations for the CEO who's paid not to be a POS, and actually has a duty to protect users, instead of the random trying to stop bad things happening to people he doesn't know?
> I hope maybe we can agree, though, that with a few simple modifications to his approach, he is likely to reduce the probability of negative responses to the initial email. For example, he seems to already understand that people will take this email as a scam or sales attempt. But much is left to the imagination of the (uninformed) recipient about what the auth truly _does_ want. By filling in those blanks, the imagination need not be active.
It's not his responsibility to do any of that, that's the CEOs. Across all your replies, you defend the CEO like he's your brother. Hold *THEM* to the higher standard.
My whole point is that he doesn't actually know what the researcher wants, saw it as a threat, and responded to it as if it were a threat.
> You're the first person to ever make any claim remotely close to saying any "researcher" has any kind of power.
Having the entirety of their application database including customer PII, possibly the capability to encrypt the database and extort the company with it, not to mention the possibility of other potentially undisclosed vulnerabilities, decidedly IS significant power over a company. That's how bad actors are able to use any combination of these things to make money.
> Much stronger than the expectations I have for security researchers, I wouldn't want my CEO to respond to them like a petty twat.
I agree whole-heartedly. As for the rest, we more or less agree, you just are putting the onus on the CEO. I also expect more out of a CEO. I just don't think that feedback is actually particularly constructive to the audience here at HN.
