A researcher should not have to “try different emails”. Period. There should be a clearly disclosed email provided by the company to report such issues. Very obviously plastered. Or just use the standard abuse@, security@, infosec@, etc.
It is by far in the company’s best interests for this to happen because the alternative is public disclosure or disclosure to black hats instead.
Anything more is jumping through hoops. It should not be the researcher’s responsibility or burden to go out of their way to help a company that hasn’t done the bare minimum to welcome white hats helping them secure their own systems.
Yes of course company's should do that, but in the real world a lot of companies don't think to do that, especially a marketing site for a VC firm.
Any dev knows what it's like having a million responsibilities, a lot of things get put on TODO lists that never get completed. Them being owned by a wealthy company doesnt mean they have a huge dev team running 247 to handle this stuff. Which is probably why such a obvious failure even happened...
Security researchers get high and mighty extremely quickly, which is immature IMO.
The security researcher in this case worked for free to find a hole in their security, reached out via a provided email address, had that bounce, so then chose to reach out via a different messaging system to let them know that there was an issue. ALL OF THIS WAS UNPAID. They have 0 or less responsibility to this firm. The researcher was doing them a huge favor.
> Security researchers get high and mighty extremely quickly, which is immature IMO.
Immature would have been not trying to responsibly disclose this, or disclosing the hole before it was patched.
>Any dev knows what it's like having a million responsibilities,
Any airplane mechanic has a million responsibilities, and if they are not followed people fucking die. Maybe software devs should step up and take a little responsibility for their lack of action that can have consequences for their users.
Security researchers owe you nothing. If you make the path of least resistance selling sploits to blackhat groups the world will be a worse place.
It is by far in the company’s best interests for this to happen because the alternative is public disclosure or disclosure to black hats instead.
Anything more is jumping through hoops. It should not be the researcher’s responsibility or burden to go out of their way to help a company that hasn’t done the bare minimum to welcome white hats helping them secure their own systems.