Trying more than one email is not jumping through hoops when it's one of the worst possible vulnerabilities hitting all of their databases/platforms. Being a research means being an adult and having a basic level of responsibility. Just like being a gun owner, it's a powerful tool that needs to be treated with utmost respect.
A lot of pentesters are just kids who are angry at the world and the poor state of security, which I get, but it's not a huge barrier to try a bit more. He would have been rewarded if he did.
A researcher should not have to “try different emails”. Period. There should be a clearly disclosed email provided by the company to report such issues. Very obviously plastered. Or just use the standard abuse@, security@, infosec@, etc.
It is by far in the company’s best interests for this to happen because the alternative is public disclosure or disclosure to black hats instead.
Anything more is jumping through hoops. It should not be the researcher’s responsibility or burden to go out of their way to help a company that hasn’t done the bare minimum to welcome white hats helping them secure their own systems.
Yes of course company's should do that, but in the real world a lot of companies don't think to do that, especially a marketing site for a VC firm.
Any dev knows what it's like having a million responsibilities, a lot of things get put on TODO lists that never get completed. Them being owned by a wealthy company doesnt mean they have a huge dev team running 247 to handle this stuff. Which is probably why such a obvious failure even happened...
Security researchers get high and mighty extremely quickly, which is immature IMO.
The security researcher in this case worked for free to find a hole in their security, reached out via a provided email address, had that bounce, so then chose to reach out via a different messaging system to let them know that there was an issue. ALL OF THIS WAS UNPAID. They have 0 or less responsibility to this firm. The researcher was doing them a huge favor.
> Security researchers get high and mighty extremely quickly, which is immature IMO.
Immature would have been not trying to responsibly disclose this, or disclosing the hole before it was patched.
>Any dev knows what it's like having a million responsibilities,
Any airplane mechanic has a million responsibilities, and if they are not followed people fucking die. Maybe software devs should step up and take a little responsibility for their lack of action that can have consequences for their users.
Security researchers owe you nothing. If you make the path of least resistance selling sploits to blackhat groups the world will be a worse place.
Alright then: you go to Andreessen Horowitz's website[1] and see if you can find a SINGLE email address in any of the normal places a business would list the (not-social-media) contact information. Because they did their damnedest to make sure you won't find any.
See 4 links to social media pages where every single one has DMs open
Wait at least a couple business days to see if anyone replies, if no one does or it’s not being taken seriously then you can announce it publicly on social media you found something but can’t reach them
Okay. There’s 4 front office emails and 4 social media accounts, both presumably manned by non-technical folks.
So now you have to go back and forth just to get routed to the right place. Which may not even happen if this is the first time that employee handled a security incident.
You’re making it sound like sending the email or DM is the end of the work. That is usually far from the case.
Emailing an office manager with a company security issue would be incredibly irresponsible. They're in charge of managing the physical office and are about as "outside" as you can get in a company while still being employed by that company.
A lot of pentesters are just kids who are angry at the world and the poor state of security, which I get, but it's not a huge barrier to try a bit more. He would have been rewarded if he did.