Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As someone managing a relatively low-profile SaaS app, I get constant reports from "security researchers" who just ran automated vulnerability scanners and are seeking bounties on minor issues. That said, it's inexcusable - they absolutely need to take these reports seriously and distinguish between scanner spam and legitimate security research like this.

Update: obviously I just skimmed this, per responses below.



Pardon sir, I see you have:

* Port 443 exposed to the internets. This can allow attackers to gain access to information you have. $10k fee for discovery

* Your port 443 responds with "Server: AmazonS3" header. This can allow attackers to identify your hosting company. $10k fee for discovery.

Please remit payment and we will offer instructions for remediation.


They already met with him and acknowledged the problem. So their lack of follow-up is an attempt to push things under the rug. Users deserve to know that their data was compromised. In some places of the world it is a crime to not report a data leak.


It sounds like they actually met with him, patched the issues, and then didn’t respond afterwards. IMO that is quite rude of them toward him, but they do seem to have taken the issue itself somewhat seriously.


Ah, sorry, I need to actually read things before I react :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: