We rarely share opinions on here, but I thought we'd share this story...
So we did a bug bounty campaign recently, for the non-technical folks, basically we research and discover exploitable vulnerabilities, then scan the internet for them. Some companies pay a reward for this; a crowdsourced security effort of sorts...smart.
The DOJ actually publicly stated that they wouldn't prosecute "white hat hacking" under Computer Fraud and Abuse Act (CFAA) (U.S Law that defines cybercrime) in order to support better security for America.
This vulnerability was exposing secrets like AWS & Azure admin credentials, keys, etc and could be paired to remotely execute code on their servers. So we decided to inform the companies that don't offer a bug bounty (OK, self servingly we're a penetration testing company so we figured it would establish some goodwill and possibly promote our pentesting services).
90% of the people we talked to were pretty cool and thanked us for the help.
But 10% of people were jerks, and a few of those jerks then later came back and asked us to help them fix it.
Moral of the story; don't be a jerk, especially when someone is trying to help you (for free).
RealTime Cyber
We rarely share opinions on here, but I thought we'd share this story...
So we did a bug bounty campaign recently, for the non-technical folks, basically we research and discover exploitable vulnerabilities, then scan the internet for them. Some companies pay a reward for this; a crowdsourced security effort of sorts...smart.
The DOJ actually publicly stated that they wouldn't prosecute "white hat hacking" under Computer Fraud and Abuse Act (CFAA) (U.S Law that defines cybercrime) in order to support better security for America.
This vulnerability was exposing secrets like AWS & Azure admin credentials, keys, etc and could be paired to remotely execute code on their servers. So we decided to inform the companies that don't offer a bug bounty (OK, self servingly we're a penetration testing company so we figured it would establish some goodwill and possibly promote our pentesting services).
90% of the people we talked to were pretty cool and thanked us for the help.
But 10% of people were jerks, and a few of those jerks then later came back and asked us to help them fix it.
Moral of the story; don't be a jerk, especially when someone is trying to help you (for free).
9 months ago (edited) | [YT] | 5