Dear "Security Researchers"

172 点作者 donnachangstein16 天前

23 条评论

Dear System Owners,I'm sorry that the security industry is a cesspool. We all know it's a cesspool. We can't pump it out.However, please do not let the absolute state of things cause you to give up on security. Don't stop patching, don't go back to writing your passwords on post-it notes, don't just expose everything to the open internet and don't let an LLM perform your only code security review. Keep doing the boring, basic things, and you'll have the best chance at keeping the attackers out.Ultimately security is a chore, like showering or visiting the dentist. And there are always going to be people telling you that you absolutely must apply deodorant to your groin or that you can avoid the dentist by rinsing with apple cider vinegar. Ignore them, and just keep doing the basics as well as you can.

评论 #43835063 未加载

评论 #43833131 未加载

评论 #43832656 未加载

评论 #43831289 未加载

junon16 天前

Reminds me of working on Chalk (JavaScript terminal coloring library).My first foray into "beg bounties" was with Chalk. We received a report that inputs that contained malicious terminal escape sequences would be emitted to the terminal if passed through chalk.But... yeah, of course they would. It's just a glorified string formatter, we don't care what you pass to us. They would have been emitted anyway if you just used console.log. There was literally nothing actionable for us to do. It wasn't our responsibility.It wasn't just left there. The "researcher" persisted, threatening to file a CVE (which wreaks havoc on an OSS dependency such as Chalk that has millions of downloads a day) and kept swinging their proverbial member around with how they work for soandso esteemed research company (it wasn't) and ultimately demanded we compensate for their time, citing it as a responsibility and obligation.I would have ignored it, but the threat of CVE (and the fact we'd have literally zero recourse against it) kept me on the hook.Ever since then it's really watered down my view of the CVE/CVSS systems and has turned me a bit bitter toward "security researchers" in general, which isn't where I'd like to be.With the rise of automatic ReDos detection the problem has only compounded over the last 4-5 years - things that might even technically fall under the "vulnerability" umbrella, but only if the code is so intentionally and egregiously misused, and in a manner that is dangerous with any library let alone ours, still earning a plea for monetary compensation.It's silly, saddening and only discourages people to work on OSS stuff at a scale larger than hobbies, to be honest.(Thank you for coming to my TED talk)EDIT: I should mention that I have received legitimate reports by well-meaning researchers (no quotes) that are detailed and professional in nature I'm always proud to service them and see them through. They're increasingly rare, though. The downside is that doing OSS for free means I still cannot compensate for their time, even though I would love to.

评论 #43831397 未加载

评论 #43836546 未加载

评论 #43831392 未加载

K0balt16 天前

Your front door is accessible to the public. Without a fence around your yard and a guard at the gate, bad actors could get access to your front door and exploit any number of door vulnerabilities, including a chainsaw or battering ram.Please send me $12,000 dollars.

评论 #43830948 未加载

评论 #43831185 未加载

评论 #43830565 未加载

评论 #43831422 未加载

评论 #43834602 未加载

leftcenterright16 天前

Beg bounty hunters have damaged the field so much.But even in 2025, I have come across companies who do not at all care about rewarding good security researchers who report issues. Hell, I have even been ghosted after reporting the bug which they promptly fixed and did not even write back to say a "thank you". Has anyone else also encountered this behavior from tech companies? (not talking about a non profit, hospital or gov agency here)

评论 #43830802 未加载

评论 #43830459 未加载

评论 #43830980 未加载

评论 #43832020 未加载

评论 #43831552 未加载

nottorp16 天前

"An attacker COULD if the stars align right EXPLOIT ..."I'm too tired of the current scareware industry to write more.The sad part is real security issues can get lost in the noise...

评论 #43830304 未加载

评论 #43830120 未加载

评论 #43831025 未加载

评论 #43830562 未加载

评论 #43830958 未加载

JohnKemeny16 天前

Related: "AI generated security reports about curl". 371 points on Jan 2, 2024, 121 comments.<a href="https://news.ycombinator.com/item?id=38845878">https://news.ycombinator.com/item?id=38845878</a>

评论 #43830091 未加载

a3w16 天前

404 for both of <a href="https://ftp.bit.nl/.well-known/security.txt" rel="nofollow">https://ftp.bit.nl/.well-known/security.txt</a> <a href="https://ftp.bit.nl/security.txt" rel="nofollow">https://ftp.bit.nl/security.txt</a>Wrong place, did not read. Here go the ``security researchers'' begging/threatening for money.

评论 #43830673 未加载

评论 #43831255 未加载

OsrsNeedsf2P16 天前

I can only imagine the frustration of Debian maintainers. It's so hard to remain positive and welcoming after years of abuse

评论 #43830355 未加载

mtmail16 天前

Same happens to us regularly. Server called 'downloads', in a directory 'public' whose homepage has the text 'this is a public server with files for very everybody to download'. There's even a file 'all-files-are-open-and-public-not-company-secrets.txt' in the directory.

piecelyJohn16 天前

I’m convinced that the cybersecurity and security research industry is largely a pass-the-blame market. And honestly, that's not a bad thing — it's smart and even necessary. If a publicly traded company suffers a security breach, they can say, "We hired [security firm] to harden our systems — if something went wrong, it’s on them." This way, the company deflects blame, protects its reputation, and keeps shareholders satisfied. All-in-all not a bad strat

评论 #43830767 未加载

评论 #43830631 未加载

praptak16 天前

Dear sysadmin for YCOMBINATOR,Critical vulnerability on port 80: an attacker could exfiltrate all comments posted therein. Please provide a bug bounty for this critical vulnerability.

评论 #43831488 未加载

TonyTrapp16 天前

See also this classic: "Source Code Disclosure of every possible project" on the Mozilla bugtracker: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=949446" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=949446</a>

评论 #43830494 未加载

评论 #43830540 未加载

bitbasher15 天前

Here's one I got today trying to scare me.Hi Team,We are following up regarding the critical vulnerabilities we had previously reported — we are still awaiting your acknowledgment and decision on appropriate compensation.Clear communication is vital in responsible vulnerability disclosure programs, and it’s important for both sides to remain engaged to ensure vulnerabilities are properly handled and rewarded fairly.We have also discovered additional high-risk issues that could impact your user security and overall platform integrity.However, we are waiting for closure on the earlier reports before moving forward with new disclosures.Please let us know the status update at your earliest convenience so we can proceed accordingly.Thank you for your attention to this matter.

fusslo16 天前

<a href="https://ftp.bit.nl/" rel="nofollow">https://ftp.bit.nl/</a>I'm at work and a little afraid of clicking on the 'pr0n' folder :)

评论 #43831564 未加载

评论 #43833650 未加载

apexalpha16 天前

"HIGH ALERT. YOUR STATIC WEBSITE WITHOUT ANY INPUT HAS IS MISSING A CERTAIN CSP HEADER. ALERT"Please send me €10.000 for this disclosure.

dist-epoch16 天前

> There is NO SENSITIVE INFORMATION on this server.So if hypothetically I would find a .csv file with emails, names, dates of births and addresses on this website, I should not send an email because it can't possibly be a data leak.

评论 #43830966 未加载

yieldcrv16 天前

dear sir or madam, please do the needful and transfer the sum

mad016 天前

"p0rn" dir in root level is a nice touch for this.

pornel16 天前

There's a harmless "vulnerability" that some automated scanners keep finding on my website. I've deliberately left it "unfixed", and block everyone who emails me about it.

devttyUSB016 天前

Hi. System Owner here. Funny to see this pop up on ycombinator and thanks for pointing out a security.txt was missing. Fair point. I've added it with a clearer note not to report "open directory", specifically. Never forget to have a wonderful day, everyone.

abhisek16 天前

lol. That should be “bug bounty hunters”.

评论 #43829782 未加载

评论 #43831394 未加载

lifestyleguru16 天前

Thank you Debian, you are awesome and I love you ♥ (no homo).

评论 #43831217 未加载

LunaSea16 天前

Coming from the distribution that didn't generate SSH keys correctly for two years (insane security impact), that's a bit rich.Source: <a href="https://jblevins.org/log/ssh-vulnkey" rel="nofollow">https://jblevins.org/log/ssh-vulnkey</a>

评论 #43830768 未加载

评论 #43830757 未加载

评论 #43831061 未加载