(ian.sh)

396 points galnagli | 1 comments | 22 Oct 25 18:21 UTC | HN request time: 0.198s | source

Show context

intheitmines ◴[22 Oct 25 19:37 UTC] No.45674109[source]▶

Just out of interest have you had any legal threats etc from this kind of probing if they don't have explicit bug bounty programs? Also do you ever get offered bounties in on reporting where there wasn't a program?

replies(3): >>45674680 #>>45674761 #>>45675110 #

zozbot234 ◴[22 Oct 25 21:02 UTC] No.45675110[source]▶

>>45674109 #

The kind of probing they did and described in the blogpost, with the attempt to raise their privileges to admin is legally fishy AIUI. Usually this kind of thing would be part of a formal, agreed-to "red teaming" or "penetration testing" exercise, precisely to avoid any kind of legal liability and establish necessary guidelines. Calling an attempted access "ethical" after the fact is not enough.

replies(2): >>45677031 #>>45677741 #

1. iancarroll ◴[23 Oct 25 00:59 UTC] No.45677031[source]▶

>>45675110 #

Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

↑

Accessing Max Verstappen's passport and PII through FIA bugs