not sure are aware, but the actual quote is "The decision to announce the research findings was intended to encourage remediation of the vulnerabilities prior to Election Day".
I like the idea of a marketplace, but I don't think background checks and references are the way to build a credible list of the world's best pentesters.
I think what patio11 is doing with Starfighters.io is orders of magnitude better. Run developers through a gambit of supremely difficult tests via a fun CTF-type game and pair the best hackers with the highest enterprise bidder. Works not just for pentesters, but all devs really.
Also, I know where to get the best pentesters because they're listed on all the top companies' bug bounty pages. It's proof of skill I'm after, not some Gartner-esque gatekeeper telling me who's best because they've "background checked" them.
Give me a system more like StackOverflow or Starfighters where I can see the work. Not something subjective like eBay or Yelp, which can be easily gamed.
I hear you and I get it. What you are describing are security-focused pen testers, mission-focused red-teams.
They are absolutely welcome, and they are a subset of the pen-tester universe. They are not a good fit for someone needing to get a PCI pen test, but they do incredible work in other areas.
It highlights the point in the blog that the landscape of finding the 'right' pen-test team is not easy. Some are brilliant at one thing, others at many, but even an elite group may not be the right fit for the task at hand.
We are taking the feedback system seriously and are slowly testing it out. An easily gamed system is useless for everyone.
But why must demonstration of skill be limited to elite red-team style pentesting? You could devise challenges geared at demonstrating all sorts of knowledge (HIPAA, PCI, websec) basic or advanced.
If you've seen the sad state of PCI audits in particular these days, you'll get my drift. I think there's a huge opportunity here to raise the quality bar with your marketplace.
We're hoping to be less "hoops" and more "a fun experience which competes with someone's Starcraft/Instagram/Game of Thrones/etc time" that also happens to be really useful the next time you're in the market for a job.
Take a look at the leaderboard for Microcorruption some time. It's public. (SF's are not, as a considered design decision for the moment.) If you do and cannot understand the claim I am making, that's cool, but I feel no particular need to elaborate.
More important in the long term than the names you will recognize are the names you will not.
The data ultimately lives upstream on a corporate file server, so long as you install the "AeroFS Team Server" -- which is the backing storage agent. The Team Server is indeed optional, so you could theoretically just run things in a peer-to-peer manner, but really the recommended environment is to have the Team Server up and running.
I think there's some truth in what you say about stroking journalists egos, but remember, nobody is forcing Uber to play so aggressively; they're doing it for the sake of growth.
Revolutionary, fast-growing, successful companies are going to be scrutinized no matter what. It's up to the Uber exec and PR teams to decide when to put on the brakes--at the expense of growth--to avoid it.
Certainly there are other groundbreaking companies (e.g., SpaceX) that haven't found themselves in Uber's position, and it's likely due to their leadership, not their ability or willingness to pay off journalists.
To start, the Uber exec was suggesting that they do their dirt-digging anonymously ("Nobody would know it was us.").
Also, those articles you linked to are examples of journalists providing commentary around direct quotes or facts/reports about the company. AFAIK, Sarah Lacy didn't dig up and expose personal information about people at Uber nor their families.
According to Levie, Box has 99% of the Fortune 500. Does it really count if 75 people in Toyota's marketing department uses Box to share a few hundred gigabytes of files?
The numbers don't lie: "Box’s average customer value (ACV) is $3,653, much lower than the median of 59,600." [1]
They're selling "enterprise" software at SMB price points.
Setting aside security concerns, getting a big enterprise to move a substantial part of their IT infrastructure to the cloud is a logistical nightmare. Perhaps they underestimated this.