Vendor allegedly assaults security researcher who disclosed massive vulnerability

guest · Feb 7, 2019

Vendor allegedly assaults security researcher who disclosed massive vulnerability
February 6, 2019
https://www.csoonline.com/article/3...cher-who-disclosed-massive-vulnerability.html

The vendor is Atrient, the product is PowerKiosk, and the flaw allows personal data to be transmitted unencrypted — reportedly serious enough to make it “extremely vulnerable to criminal abuse.”

Additionally, Atrient’s third-party subcontractors were allegedly “not taking even basic security steps to secure any of this infrastructure from being discover on the open internet.”
The vulnerability was discovered by @Me9187 and Dylan Wheeler, aka @degenerateDaE, but Atrient allegedly ignored them as they repeatedly tried to report the vulnerability.

After a friend tweeted about the flaw to help the researchers, it wasn’t Atrient’s attention that was snagged but the FBI’s — the FBI Cyber Fusion Unit division, according to an article on Secjuice.

Apparently the feds weren’t as easy to ignore as the researchers had been. During the conference call, Atrient reportedly told the FBI it would rather “talk about this offline” when the feds asked if Atrient had properly notified their customers of the breach and flaw in the systems.
Click to expand...

The scary one in this scenario is actually not the FBI, but Atrient because it allegedly offered the researchers a $60,000 bug bounty as long as they were quiet about the flaw and waited on attorneys to draw up an NDA. Four months later … no bug bounty payment, no NDA, and no fix for the flaw.
Click to expand...

guest · Mar 30, 2019

longer article:
Casino Screwup Royale: A tale of “ethical hacking” gone awry
March 26, 2019
https://arstechnica.com/information...dy-in-how-not-to-handle-security-disclosures/

The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter. Rapid7 Director of Research Tod Beardsley was one of the spectators. "My first reaction," Beardsley joked, "was, man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty."

The story is practically a case study in the problems that can arise with vulnerability research and disclosure.

"[...] It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs—especially today, in an era where bug outings are kind of normal now—to not expect someone to be necessarily grateful when one shows up."
Click to expand...

Log in or Sign up

Vendor allegedly assaults security researcher who disclosed massive vulnerability

guest Guest

guest Guest

Log in or Sign up

Vendor allegedly assaults security researcher who disclosed massive vulnerability

guest Guest

guest Guest

Useful Searches