> First of all, please do not ignore this email, this is not a scam attempt nor am I trying to sell anything, I am just alerting and looking for help closing down a security issue […]
I can't tell if people are being deliberately dense as a way of punishing me for having a critical opinion, not reading the rest of the comments before responding to me, or genuinely do not understand what I am getting at.
A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you. Humans famously have the capability of lying. Someone telling me they are _not_ selling something or scamming me doesn't actually tell me what they want, and it does not provide me with enough information to know that they are not, in fact, scamming me. It just lets me know they don't want me to think I am being scammed.
>A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you.
The very first email has literally everything the company needs to locate and fix the issue without having to sign anything, log into anything, or pay anything.
That is the opposite of a nefarious email.
Nefarious "beg bounty" emails will tell you that you have an issue and then not tell you where it is -- asking for money before revealing the issue.
FWIW, I get several of these emails per week, as the first-reader of security@ emails, and they're almost always scams, sales pitches, or poorly-disguised bounty sniffers.
I can't even count the number of times I've been informed that Wordpress.com (.com, not self-hosted) has severe vulnerabilities. And those are the plausible reports.
But I always respond professionally and with civility, obviously, because if they have useful information for me, I want to hear it.
In defense of the researcher: Their message was better than most, and explained the issue found directly instead of couching it in BS claims. That's good.
In criticism of the researcher: They should have linked to their website where they publish reports, and been more plain about their modus operandi from the outset. Let the company know exactly who they're dealing with, and what to expect. Stating it in a sentence is "good", but linking to the evidence is much more credible.
I've been on both sides of this relationship. My dumbest experience was with a large bank (HQ in the Netherlands, but operating in several countries including the US and AU, and now acquired by a US bank). I reported a total account compromise vulnerability which would affect 12.5% of their users. I thought my email would be well-received and the (very simple and externally-obvious) issue quickly resolved. Instead I got threats and hostility from some SVP IS nitwit. I told him to go pound sand obviously, and it took them a week to fix the problem. My SO was a customer (which is the only reason I noticed the issue), but not for long. :)
DangitBobby|1 year ago
A hallmark of a nefarious email (particularly scams but some sales attempts) is that they aim to deceive you. Humans famously have the capability of lying. Someone telling me they are _not_ selling something or scamming me doesn't actually tell me what they want, and it does not provide me with enough information to know that they are not, in fact, scamming me. It just lets me know they don't want me to think I am being scammed.
ziddoap|1 year ago
The very first email has literally everything the company needs to locate and fix the issue without having to sign anything, log into anything, or pay anything.
That is the opposite of a nefarious email.
Nefarious "beg bounty" emails will tell you that you have an issue and then not tell you where it is -- asking for money before revealing the issue.
quesera|1 year ago
I can't even count the number of times I've been informed that Wordpress.com (.com, not self-hosted) has severe vulnerabilities. And those are the plausible reports.
But I always respond professionally and with civility, obviously, because if they have useful information for me, I want to hear it.
In defense of the researcher: Their message was better than most, and explained the issue found directly instead of couching it in BS claims. That's good.
In criticism of the researcher: They should have linked to their website where they publish reports, and been more plain about their modus operandi from the outset. Let the company know exactly who they're dealing with, and what to expect. Stating it in a sentence is "good", but linking to the evidence is much more credible.
I've been on both sides of this relationship. My dumbest experience was with a large bank (HQ in the Netherlands, but operating in several countries including the US and AU, and now acquired by a US bank). I reported a total account compromise vulnerability which would affect 12.5% of their users. I thought my email would be well-received and the (very simple and externally-obvious) issue quickly resolved. Instead I got threats and hostility from some SVP IS nitwit. I told him to go pound sand obviously, and it took them a week to fix the problem. My SO was a customer (which is the only reason I noticed the issue), but not for long. :)