I’ve been reporting major problems nonstop for the past like 20 years. It usually takes me less than 5 minutes when I first learn of some new security feature to find a problem with it. Most of that 5 minutes is physically writing my email to security highlighting major oversights. I don’t know how these people get jobs and gatekeep me out of both hiring or my scientifically accurate and backed feedback for not passing the buzzfeed security quizzes for certifications. I’m otherwise a full stack software engineer.
Even my simple requests like not auto flagging emails from confirmed and fully validated Microsoft services gets denied because it’s “too hard” so everything except internal users and random whitelisted services like github and azure AWS is instead flagged as suspicious, causing alertness fatigue.
I’ve reported major logic problems to many major companies and usually the only response I get is an indirect followup email through HR or some other non technical people sent to the entire distribution list as a followup saying how it’s technically better than what was there before (it’s scientifically and mathematically not) and that we just need to do it.
I never get recognized or win bug bounties because there’s always some loophole where I didn’t actually help them and they just magically fixed the long standing issue by coincidence after I reported it.
Most recently, I discovered a “feature” with Microsoft OAuth that has a severe flaw and could essentially shut down all MS OAuth functionality, and all consequences branching from that. Still no response.
I’m not even trying to find these. They just keep getting in my way of trying to do work.
For example, I have to authenticate up to FIVE times per authentication, per authentication —- Auth syncing can be slow leading to multiple auth requests that would otherwise only need a single one to propegate.
5 authentications * 5 programs needing individual (slow-sync) auth = 25 authentications I have to already pass to be able to start standup or pass in order to un-hard-freeze my live demo to potentially hundreds of engineers.
Imagine driving your car, and the steering wheel locks when it loses internet connection (like in a tunnel or just randomly) or because the re-auth period has passed. Security devs don’t want to full stop the car because they’ll get yelled at, so just lock steering so they can’t steer home.
Well now if you’re on a highway, that’s pretty stressful and dangerous. But it’s like they are just salting the wound by adding a series of glitchy minigames where you have to first read all the spammy popup dialogs, and then solve a Baldi’s Basics math puzzle, and then rotate a ball to not be upside down (?) and then manually match a missile launch code.
Even my simple requests like not auto flagging emails from confirmed and fully validated Microsoft services gets denied because it’s “too hard” so everything except internal users and random whitelisted services like github and azure AWS is instead flagged as suspicious, causing alertness fatigue.
I’ve reported major logic problems to many major companies and usually the only response I get is an indirect followup email through HR or some other non technical people sent to the entire distribution list as a followup saying how it’s technically better than what was there before (it’s scientifically and mathematically not) and that we just need to do it.
I never get recognized or win bug bounties because there’s always some loophole where I didn’t actually help them and they just magically fixed the long standing issue by coincidence after I reported it.
Most recently, I discovered a “feature” with Microsoft OAuth that has a severe flaw and could essentially shut down all MS OAuth functionality, and all consequences branching from that. Still no response.
I’m not even trying to find these. They just keep getting in my way of trying to do work.
For example, I have to authenticate up to FIVE times per authentication, per authentication —- Auth syncing can be slow leading to multiple auth requests that would otherwise only need a single one to propegate.
5 authentications * 5 programs needing individual (slow-sync) auth = 25 authentications I have to already pass to be able to start standup or pass in order to un-hard-freeze my live demo to potentially hundreds of engineers.
Imagine driving your car, and the steering wheel locks when it loses internet connection (like in a tunnel or just randomly) or because the re-auth period has passed. Security devs don’t want to full stop the car because they’ll get yelled at, so just lock steering so they can’t steer home.
Well now if you’re on a highway, that’s pretty stressful and dangerous. But it’s like they are just salting the wound by adding a series of glitchy minigames where you have to first read all the spammy popup dialogs, and then solve a Baldi’s Basics math puzzle, and then rotate a ball to not be upside down (?) and then manually match a missile launch code.