Hacker News new | past | comments | ask | show | jobs | submit login

i think you might want to take a breath, rethink that position and not let your anger cause you to do something stupid. if you disclose a vulnerability, the company HAS EVERY RIGHT to sue you. every security researcher _thinks_ that they are protected by some unwritten good Samaritan law, when in fact, you are hacking and that carries financial and criminal penalties. this is why these bug bounties and established ways of notifying the company of the vulnerabilities exists. you stepping outside of these established channels can be VERY costly. imagine in a moment of unclear thinking and childish behavior, you do something that could cost you your livelihood and financial well-being and also, maybe, get you thrown in jail.



> not let your anger cause you to do something stupid

Note: I didn't say that I would do this for every company. Just ones that use HackerOne. They have decided to abdicate their responsibility for their security vunerability reporting, and I feel completely justified in dumping info on their vulnerabilities.

Releasing the details of a vulnerability is not stupid. The users of the software/service deserve to know the data/service they're using is unsafe when a vendor refuses to act on a valid security issue

>If you disclose a vulnerability, the company HAS EVERY RIGHT to sue you.

You don't need the right to file a lawsuit to file a lawsuit. You just file the lawsuit. Now, you need an actual, actionable claim to prevail a a plaintiff in a lawsuit. Whether such a thing exists in practice is something we leave to lawyers to argue about and judges/juries to decide.

If your company is in a competitive industry and I release the details of a vunerability in your software and you sue me then that vulnerability and lawsuit becomes marketing item number one for all of your competitors.

>this is why these bug bounties and established ways of notifying the company of the vulnerabilities exists

Arguably why they exist. In reality, they tend to exist to give people an incentive to not dump the vuln details on the black market, embargo bugs so customers don't leave, and attempt to maintain a good relationship with security researchers. They do not grant immunity from being sued or somehow grant the legal right for security researchers to do their work as your comment seems to indicate.

Your post reads like propaganda from a bug bounty organization. I'm not saying that you're shilling, just that you're misinformed. In the US it is generally legal to conduct security research. In the US it is legal to communicate the results of that research publicly so long as you have not agreed in some contract to not do so.

Where did you get the idea that legitimate security research is a crime?


i'm not going to argue with you. if your actions and attitude get you in trouble, it won't affect me in the least nor do i care. so if you want to continue to be self-righteous and say and do stupid things, that's on you.


Insane comment. As a customer of these companies, this attitude is borderline criminal and a big cause of the repeated data breaches. Why should I trust any company that sues security researchers for disclosure?


"Why should I trust any company that sues security researchers for disclosure?"

i didn't say that, i said there are established channels for reporting such things and going outside those channels carries risks.

edit*

my bad... i read your comment wrong.

i could be wrong, but i think you meant to say "Why should I trust any company that sues security researchers for reporting a vulnerability?"

i agree that that would totally suck.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: