←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.429s | source
Show context
edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]
> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #
9283409232 ◴[12 May 25 17:18 UTC] No.43965359[source]
Good way to get yourself sued and have possible criminal charges brought up to you.
replies(3): >>43965376 #>>43965385 #>>43965884 #
b8 ◴[12 May 25 17:20 UTC] No.43965376[source]
Which has never happened before and if it does then the EFF would back you presumably.
replies(2): >>43965442 #>>43965504 #
9283409232 ◴[12 May 25 17:28 UTC] No.43965442[source]
This is a completely uninformed comment. Security researchers get sued or threatened all the time. Bunnie was threatened by Microsoft for publishing his research on Xbox vulnerabilities, the city of Columbus sued David Ross for his reporting on data exposed during a ransomware attack, Google has threatened action against a few security researchers if memory serves and that is just what I can remember off the top of my head.
replies(4): >>43965559 #>>43965722 #>>43965731 #>>43965873 #
1. secalex ◴[12 May 25 17:38 UTC] No.43965559[source]
Agreed. I've been doing this for 25+ years and personally know a dozen people who have been threatened and several who have been sued or faced potential prosecution for legitimate security research. I've experienced both situations!

That doesn't make it right, and the treatment of the researcher here was completely inappropriate, but telling young researchers to just go full disclosure without being careful about documentation, legal advice and staying within the various legal lines is itself irresponsible.