Ironic that JPMorgan Chase demands suppliers improve security while neglecting basic practices, like crediting vulnerability researchers [1]. With 18% YoY profit growth in 2024 [2], they could easily allocate additional resources to drive meaningful industry-wide change that would benefit all of us.<p>Maybe the real issue is they choose to bring in lower quality suppliers that they deemed to be "good enough", instead of hiring quality, and building robust internal process to make sure the type of feedback is brought to the suppliers directly - with examples, and well thought out suggestions instead of this notice posted on the office fridge.<p>To me, this looks like a lack of will for financial commitment rather than an industry-wide plague that's impervious to the ultimate resource to fix nearly every problem we face - willpower and an increased budget.<p>[1]: <a href="https://www.linkedin.com/posts/shubhankargaur_jpmorganchase-vapt-bugbounty-activity-7118668328981700610-KrHA" rel="nofollow">https://www.linkedin.com/posts/shubhankargaur_jpmorganchase-...</a><p>[2]: <a href="https://www.reuters.com/business/finance/jpmorgan-profit-jumps-dealmakers-traders-ride-market-rebound-2025-01-15/" rel="nofollow">https://www.reuters.com/business/finance/jpmorgan-profit-jum...</a>
The letter mentions OAuth but doesn't mention the ongoing work to address the <a href="https://eprint.iacr.org/2025/629" rel="nofollow">https://eprint.iacr.org/2025/629</a> findings, CVE-2025-27371.