←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 5 comments | 12 May 25 16:39 UTC | HN request time: 0.227s | source
1. 9283409232 ◴[12 May 25 17:16 UTC] No.43965328[source]
There's no penalty for failing at privacy and security so companies would rather play the odds that they will be fine than invest in proper practices. Alex says Cerca is being misleading when it comes to encryption but it seems to me they are outright lying and will likely face no consequences for it. In a more just world, this would trigger so many regulatory and compliance audits.
replies(3): >>43965421 #>>43965598 #>>43965867 #
2. mooreds ◴[12 May 25 17:26 UTC] No.43965421[source]
> There's no penalty for failing at privacy and security

I wouldn't say there's no penalty (they might have to pay for a year of identity theft protection or a fine).

I agree that the consequences are not in line with the damage to the public or customer base.

3. MaKey ◴[12 May 25 17:41 UTC] No.43965598[source]
The GDPR allows for huge fines, so for companies operating in Europe there is an incentive to take privacy and security seriously.
replies(1): >>43965892 #
4. thesuitonym ◴[12 May 25 18:04 UTC] No.43965867[source]
> Alex says Cerca is being misleading when it comes to encryption but it seems to me they are outright lying and will likely face no consequences for it.

Trasmitting information via HTTPS is usually enough to say your app uses "encryption and other industry-standard measures to protect your data."

5. brazzy ◴[12 May 25 18:06 UTC] No.43965892[source]
Namely, up to 20 million EUR or 4% of the previous year's revenue, whichever is larger.