https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/
By Sean Gallagher
Ars Technica
3/26/2019
People who find security vulnerabilities commonly run into difficulties when
reporting them to the responsible company. But it's less common for such
situations to turn into tense trade-show confrontations—and competing claims of
assault and blackmail.
Yet that's what happened when executives at Atrient -- a casino technology firm
headquartered in West Bloomfield, Michigan -- stopped responding to two
UK-based security researchers who had reported some alleged security flaws. The
researchers thought they had reached an agreement regarding payment for their
work, but nothing final ever materialized. On February 5, 2019, one of the
researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK --
stopped by Atrient's booth at a London conference to confront the company’s
chief operating officer.
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got
in a confrontation with him and yanked off his conference lanyard; Gill insists
he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live
play-by-play commentary as it played out on Twitter. Rapid7 Director of
Research Tod Beardsley was one of the spectators. "My first reaction,"
Beardsley joked, "was, man, I wish a vendor would punch me for disclosure. Boy,
that beats any bug bounty."
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
