←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
570 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.279s | source
Show context
edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]
> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #
9283409232 ◴[12 May 25 17:18 UTC] No.43965359[source]
Good way to get yourself sued and have possible criminal charges brought up to you.
replies(3): >>43965376 #>>43965385 #>>43965884 #
b8 ◴[12 May 25 17:20 UTC] No.43965376[source]
Which has never happened before and if it does then the EFF would back you presumably.
replies(2): >>43965442 #>>43965504 #
9283409232 ◴[12 May 25 17:28 UTC] No.43965442[source]
This is a completely uninformed comment. Security researchers get sued or threatened all the time. Bunnie was threatened by Microsoft for publishing his research on Xbox vulnerabilities, the city of Columbus sued David Ross for his reporting on data exposed during a ransomware attack, Google has threatened action against a few security researchers if memory serves and that is just what I can remember off the top of my head.
replies(4): >>43965559 #>>43965722 #>>43965731 #>>43965873 #
1. tgsovlerkhgsel ◴[12 May 25 18:04 UTC] No.43965873[source]
Threats with the goal to prevent publication are incredibly common.

Following up on the threat is much less common, and the best way to prevent that (IMO) is to remove the motivation to do so: Once the vuln is public and further threats can not prevent the publication, just draw more negative attention to the company, the company has much fewer incentives to threaten or follow up on threats already made.

It's not a guarantee, you can always hit a vindicative and stupid business owner, but usually publishing in response to threats isn't just the right thing to do (to discourage such attempts) but also the smart thing to do (to protect yourself).