I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)

560 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0s | source

Show context

xutopia ◴[12 May 25 16:57 UTC] No.43965126[source]▶

>>43964937 (OP) #

That's crazy to not have responded to his repeated requests!

replies(3): >>43965190 #>>43965227 #>>43965306 #

mytailorisrich ◴[12 May 25 17:14 UTC] No.43965306[source]▶

>>43965126 #

A company has no duty to report to you about just because you kindly notified them of a vulnerability in their software.

> During our conversation, the Cerca team acknowledged the seriousness of these issues, expressed gratitude for the responsible disclosure, and assured me they would promptly address the vulnerabilities and inform affected users.

Well that was the decent thing to do and they did it. Beyond that it is their internal problem and, especially they did fix the issue according to the article.

Engineers can be a little too open and naive. Perhaps his first contacts was with the technical team but then managament and the legal team got hold of the issue and shut it off.

replies(2): >>43965406 #>>43967411 #

1. pixl97 ◴[12 May 25 21:00 UTC] No.43967411[source]▶

>>43965306 #

>A company has no duty to report to you about just because you kindly notified them of a vulnerability in their software.

Then you have no duty to report the vuln to the company and instead should feel free to disclose it to the world.

A little politeness goes a long ways on both sides.

↑