Vendors and security researchers haven’t always gotten along, but when one physically assaults the other you know things have gone way off course.
A pair of UK-based security researchers found many critical flaws in a vendor’s gambling player reward systems. All signs suggest that these researchers did their best—really going beyond the call of duty—to report these flaws to the vendor, and yet the negligent company not only didn’t fix the issues, they assaulted the researcher and have been denying everything despite proof otherwise. Watch today’s video to hear my rant about all the ways this company went wrong. It’s not my most practical video, but the world and other vendors need to know what not to do!
Episode Runtime: 8:08
Direct YouTube Link: https://www.youtube.com/watch?v=26HmTWV5aDU
EPISODE REFERENCES:
- SecJuice’s original scoop outing the security disclosure drama – SecJuice
- Tweet and video taken after the alleged assualt – Twitter
- Recording of the first half of the FBI call – DayAfterExploit
- Updated article after Atrient’s revoked response – CBR
—Corey Nachreiner, CISSP (@SecAdept)
This is a perfect example of why we as security professionals are often fighting an uphill battle to protect client data. Hopefully, the push for federal privacy laws (if they are written by people that actually understand technology) will greatly reduce stories like this. Short of that or being breached, I don’t see vendors like this changing. Keep up the great work Corey!