Good article, but it's important to remember: this is fairly rare.
-
RE: https://chaos.social/@joeposaurus/116107550191010890
Good article, but it's important to remember: this is fairly rare. Most organizations are grateful to get reports
-
RE: https://chaos.social/@joeposaurus/116107550191010890
Good article, but it's important to remember: this is fairly rare. Most organizations are grateful to get reports
@iagox86 this has not been my experience. in my experience, most orgs just flatly ignore you outright
-
RE: https://chaos.social/@joeposaurus/116107550191010890
Good article, but it's important to remember: this is fairly rare. Most organizations are grateful to get reports
@iagox86 It feels relatively common in Germany. Laws and legal uncertainties aren't helping ether.
I don't disclose anything privately to vendors anymore. I have better things to do with my time and money than fighting useless lawsuits against companies that are beyond stupid.If something *really* impactful should be on my table, I'd proxy that through the CCC, but apart from that? Companies need to learn the hard way here.
️ 
Modern Solution: Court of Appeal confirms guilt of security researcher
On appeal by the programmer who uncovered a security vulnerability in software from Modern Solution, the regional court confirmed the penalty order.
heise online (www.heise.de)
-
@iagox86 this has not been my experience. in my experience, most orgs just flatly ignore you outright
@Viss interesting! I've done research for a few years now and that hasn't been my experience - most of the time it goes well. I've even launderered vulns for others to keep their name off of it
The biggest problem is companies that insist you have to use their bounty which builds in an NDA
-
@Viss interesting! I've done research for a few years now and that hasn't been my experience - most of the time it goes well. I've even launderered vulns for others to keep their name off of it
The biggest problem is companies that insist you have to use their bounty which builds in an NDA
@iagox86 admittedly, its been a while since i bothered, i tried sending openai bugs and they said 'lol out of scope'. the whole premise is flawed. we should stop doing work for free
-
@iagox86 admittedly, its been a while since i bothered, i tried sending openai bugs and they said 'lol out of scope'. the whole premise is flawed. we should stop doing work for free
@Viss when I'm told it's out of scope, I just verify that it's permission to publish
It's not really "free", because I own the results and will publish it
-
@Viss when I'm told it's out of scope, I just verify that it's permission to publish
It's not really "free", because I own the results and will publish it
@iagox86 but they get your work for free and they fix the bug. its functionally equivalent to donating free consulting hours. the fact you can publish is just the fringe benefit
