(alexschapiro.com)

570 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.283s | source

Show context

xutopia ◴[12 May 25 16:57 UTC] No.43965126[source]▶

That's crazy to not have responded to his repeated requests!

replies(3): >>43965190 #>>43965227 #>>43965306 #

benzible ◴[12 May 25 17:04 UTC] No.43965190[source]▶

As someone managing a relatively low-profile SaaS app, I get constant reports from "security researchers" who just ran automated vulnerability scanners and are seeking bounties on minor issues. That said, it's inexcusable - they absolutely need to take these reports seriously and distinguish between scanner spam and legitimate security research like this.

Update: obviously I just skimmed this, per responses below.

replies(3): >>43965283 #>>43965303 #>>43965441 #

1. nick238 ◴[12 May 25 17:28 UTC] No.43965441[source]▶

>>43965190 #

Pardon sir, I see you have:

* Port 443 exposed to the internets. This can allow attackers to gain access to information you have. $10k fee for discovery

* Your port 443 responds with "Server: AmazonS3" header. This can allow attackers to identify your hosting company. $10k fee for discovery.

Please remit payment and we will offer instructions for remediation.

↑

I hacked a dating app (and how not to treat a security researcher)