I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people.
It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.
So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Honeastly though, I get it. If you have headcount for two people, do you want one of those people to be a DBA and another to be a platform architect? Whos going to actually make the app.
I genuinely think the problem is that frameworks don't do this for you. Why should you need a DBA and platform architect to make a multi tenant CRUD app, pretty much every one does the same thing..
> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach
That is common knowledge now, right? Or am I just smoking yellow tops
Yeah but Supabase yells really loudly if you have RLS turned off with their own AI agent, plus you can ask Claude to red team the platform to have it lock it down.
Yep, this has been my experience over 15 years in startups as well. There are barely any punishments, so there is no incentive for startups to change how they operate.
Same here. I've witnessed horrifying security bugs that were basically flagged as WONTFIX internally because it was too much work to fix until it was exploited.
I used to work at a startup that handled medical records. A HIPAA breach would have wiped out the company through reputation damage â because our customers were also subject to HIPAA and couldn't possibly hire a startup with a track record of HIPAA breaches.
In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread.
However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way.
My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data.
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
Yeah, in most cases these security vulnerabilities are also regular bugs too.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
Yeah what was said below. Lack of experience. A lot of people just don't know to ask about it or think through data flows. Running your code base through an llm asking it to act as a l7 security auditor, take it's time, think from first principles, and look for data leaks and potential security gaps in the code and architecture is a good start. Also don't ignore supabase when it gives you suggestions on things to fix.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.
off-topic, but I've become quite intrigued with AI pentesting, after being very unhappy with the various pentest firms we've used in the past, that rip us off or do very mediocre tests (of course yeah yeah the really good ones exist but even then they're not going to match the speed at which we are claude coding now).
Tried a bunch of open source pentesters, including strix (though we never managed to get strix to actually complete.)
this project called shannon was the only one that we managed to get working reliably and it definitely smoked the output of one of the $10K pentests we did, (we had just discovered shannon after we had gotten the pentest firm's report, so it gave us a good baseline comparison). caveat: this was white box and our pentest firm did greybox, but neverthless I was still very unimpressed by what I got from the pentest firm. $50 vs $10K is not even a comparison lol with far far better results and sent our cto into near heart attack mode.
i think the days of pentesting firms are over - especially with mythos/5.5-cyber etc like capability coming into play. very exciting times ahead!
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."
Let me guess though. They are SOC2 and ISO compliant right ?
One hopes not as this stuff would have come up in even a cursory audit of the product - but itâs kinda like Ratings Agencies / Moodyâs in 2008 right now until a big breach that occurs post-cert and they lose their credibility.
The number of FISMA-HIGH, ATOâd/RMFâd, security audited government systems Iâve seen with equivalent security issues isâŚsubstantially nonzero.
I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.
Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams Iâve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.
I've been trying to figure out what exactly or IT Security Team does. Because all they seem to do is create stupid impediments that actually push people into making work arounds that make everything less secure.
For example, they won't create for me an MS Entra ID App Registration for our internal project Because Security Reasons (they literally won't tell me why). So instead, I use Integrated Windows Authentication, which is about as secure as a hotel bar patron charging to "his" room.
They are insisting everyone start RDPing into a VM in Azure to do development work. Won't be able to get to the new source control system without it. Old system is losing its license, etc, etc. Oh, but the new system is not approved for storing CUI. So... what the actual fuck are our AFSIM developers supposed to do?
These VMs are 1/4 the hardware specs of my laptop in almost every dimension, yet still somehow car 50% more to rent per year than the entire purchase price of my laptop. Plus they are timesharing is in them, 4 developers per VM. It's not like we live in majorly different timezones. We're either all going to be on from 9am - 5pm EST or we're not.
Within these VMs, I have absolutely zero ability to install any software or modify any settings. Even the god damn clock is set to GMT+0 and I can't change it to local time. Sure would be nice if the must visible clock in my visual field accurately portrayed the current time when I have the RDP session running full screen, which is basically the only way to run it without wanting to hammer drill my brains out.
I have heard rumors that a lot of the other developers have started working from their personal devices, because otherwise they are at a complete work stoppage on their work computers due to the cockamamie IT setup. So congratulations, IT Security Team. Good job.
I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI. Uhm, no? If it needs that, why would we spend that money and time? Why wouldn't Microsoft be the one to do that?
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
Wait until we understand the depth of the current Mythos zero day situation. We already have an overall idea of whatâs to come but I donât think we can grasp the high level implications the vast array of these vulnerabilities have in store for us. I donât see/ say this in a doomsday-ish way nor the world coming to an end. It will sting a bit but overall itâs way overdue and spells opportunity for all, imo.
Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.
The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.
It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.
Tenant scoping is important. Just ask Microsoft, didn't they have one right at bing.com?
Oh, just every Bing user is vulnerable to have all Microsoft data (o365 emails for example) hacked. No biggie.
1. I didn't see mention of a bug bounty program giving limited authorization. How do independent researchers do this with legal safety? Especially when DoD is involved?
2. If a researcher discovered a vulnerability at a DoD contractor, and the contractor didn't seem to be resolving the problem, is there a DoD contact point that would be effective and safe for the researcher to report it?
To answer the first question, a number of veteran independent researchers probably wouldnât have touched such a system. Plenty of companies will send their lawyers after you if you tell them that youâve discovered a vulnerability of some sort and wish to responsibly disclose. Even if you do things in good faith, the company has zero reason to assume the best from you and can hold a sword over your head by citing poorly-written laws that lean in their favor regarding computer fraud and abuse.
DoD does appear to offer a âDefense Industrial Base - Vulnerability Disclosure Programâ for all public-facing DoD/DoW systems.[1] However, this might not include contractor-controlled assets or services. I cannot view the HackerOne page that it redirects to (login is required) to view more details.
> How do independent researchers do this with legal safety?
In my experience itâs usually foreign nationals from third-world countries doing drive-by beg-bounty testing. Presumably they donât much consider legality.
Should have been handled better, but some context is necessary:
If your name is associated with a startup in a visible leadership position you will get mass-spammed from people claiming to have discovered critical vulnerabilities in your system. When you engage with them, the conversation will turn into requests to hire them for their services.
So the CEO handled it poorly, but it's also not a great choice to withhold the details of the vulnerability in initial contact. If the goal was to get something fixed it should have been included in an easy-to-forward e-mail that could have been sent to someone who could act upon it.
Anyone who works with security or bug bounties can tell you that the volume of bad reports was a problem before LLMs. Now that everyone thinks they're going to use LLMs to get gigs as pentesters the volume of reports is completely out of control.
The number of spam "I found a vulnerability" emails you get as a SaaS operator is ridiculous, they never offer any proof of a vuln and just want you to confirm you have a bug bounty program (in which case they'll start scanning afterwards), or to pay ahead of time for the information or they'll threaten to release it.
Their response isn't damning to me. It sounds like they just assume they're one of these spammers.
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"
I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".
I have a pre-written reply for these kinds of messages now.
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.
I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.
I run bug bounty for a fairly large OSS project and the amount of shitty/bad actor spam/beg bounties etc we get is huge.
Like 95% of the emails to security@ are straight garbage
Sure that is perhaps a good way to inquire about the appropriate channels to disclose a security vulnerability, but email is not a secure communication method for sending the details about a security vulnerability
When the "good Samaritan" do not go to the vendor, they go to the client (i.e., they do not contact the DIB company, they contact the Gov agency).
I have seen government contractors getting pilloried, losing their livelihood when this happened. And, yes there is always a "quick fix offer" by the "good Samaritan" to the vendor and promised re-assurance to the Gov agency, only if this misguided vendor would go with their solution.
It is also not unusual to find out later on, that the identification or even the resource reported on was wrong - but by this time the Gov agency already punished the contractor and the reporting "good Samaritan" is laughing (sometimes to the bank).
they can get away with unethical vulnerability disclosure because think of the children, the threat to the nation, grandma off the cliff, and <insert your favorite cliche justification of malfeasance>.
If you sell something to someone and they do computer crimes, you're going to have to prove that you couldn't've known that they're a computer crimer.
It's the same thing with selling general offensive security tools. You have to proactively make it clear that it's for testing and not criminal use. Otherwise, cops are going to assume you're complicit and make things shitty.
That would be even worse than our already bad system.
The system is already pretty bad because vendors underinvest in security, and then to fix it, researchers have to volunteer their time to investigate with no guarantee of payment. If the vendor could force researchers to hand over findings for free, nobody would want to do security research except hobbyists having fun. They're basically signing up for hours of tedious forced labor to explain vulnerabilities to the vendor.
I wish there was legislation that allowed the government to fine vendors for security vulnerabilities like this where the amount scales based on how much user data they leaked. And it could function like other whistleblower systems where a researcher who spots a leak can report it to the government and collect 50%. That way, if the vendor says, "We're not paying you," the researcher can turn around and collect the money from fines.
I wonder if this is how Handala group recently stole the list of service members.
How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?
Probably based on insider info to some degree; if you already do any sort of work for the DoD, then that tends to help narrow the scope of the search for vulnerable things to exploit.
Would be fascinated to know if this went through competitive procurement or if it was one of those Hegseth âletâs be lethal and ship broken shit to the warfighterâ procurements.
Andreessen-Horowitz, who most people (and they themselves) refer to as a16z and have the eponymous domain name (a16z.com). They're one of the top VC firms on the planet -- exceedingly relevant to HN audiences and commonly discussed here.
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z
Yes. I know Andreessen-Horowitz and I donât know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.
> Their website is literally a16z.com
I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
I didn't either. This is an ancient debate that can never be resolved completely, though â because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people.
It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.
So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Honeastly though, I get it. If you have headcount for two people, do you want one of those people to be a DBA and another to be a platform architect? Whos going to actually make the app.
I genuinely think the problem is that frameworks don't do this for you. Why should you need a DBA and platform architect to make a multi tenant CRUD app, pretty much every one does the same thing..
> So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
Claude Code will do this, and actively encourage bypassing any verification before pushing to prod. I saw that first hand with its attempted handling of a major CIAM provider, and then Vercel using whatever OAuth provider in the ol' transitive breach
That is common knowledge now, right? Or am I just smoking yellow tops
Yeah but Supabase yells really loudly if you have RLS turned off with their own AI agent, plus you can ask Claude to red team the platform to have it lock it down.
Yep, this has been my experience over 15 years in startups as well. There are barely any punishments, so there is no incentive for startups to change how they operate.
You could even say they're paid even more to "move fast and break things".
While simultaneously wondering why software development being treated as a discipline of engineering is such a controversial subject.
Same here. I've witnessed horrifying security bugs that were basically flagged as WONTFIX internally because it was too much work to fix until it was exploited.
I used to work at a startup that handled medical records. A HIPAA breach would have wiped out the company through reputation damage â because our customers were also subject to HIPAA and couldn't possibly hire a startup with a track record of HIPAA breaches.
In my personal assessment some individuals within leadership at this startup were highly risk-tolerant. I speculate that had those individuals been in leadership at other companies not subject to HIPAA, security practices would have been as lax and irresponsible as what's being described as the norm in this thread.
However, because of HIPAA, security practices at this company were fair-to-middling. There were certainly weak areas and mindless box-checking a la SOC-2, but it wasn't a complete shitshow. Those of us in the engineering deparment who cared were able to raise concerns and not have them dismissed, and were generally allowed to do things the right way.
My takeaway: when there are actual severe penalties for privacy breaches, startups may not be so cavalier with your data.
More often than not security minded people are encouraged to focus on things that get the product to market faster instead.
In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?
IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.
I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.
Yeah, in most cases these security vulnerabilities are also regular bugs too.
I'll bet at some point someone contact this company and said "hey I'm being shown the wrong course" or "I can't access the material I just uploaded."
I've never seen anyone who got the basics right compromised because of some esoteric security issue. I'm sure it happens and probably will happen more now that it can be automated but it's usually a case of a system being left wide open.
Yeah what was said below. Lack of experience. A lot of people just don't know to ask about it or think through data flows. Running your code base through an llm asking it to act as a l7 security auditor, take it's time, think from first principles, and look for data leaks and potential security gaps in the code and architecture is a good start. Also don't ignore supabase when it gives you suggestions on things to fix.
As a solo entrepreneur you really have to prioritize your time but spending an extra day or two to think through everything using something like Gemini thinking or pro and an llm with an eye on security before you start taking customer data is probably a really good use of your time and you'll learn a thing or three. Just keep asking why and think critically.
off-topic, but I've become quite intrigued with AI pentesting, after being very unhappy with the various pentest firms we've used in the past, that rip us off or do very mediocre tests (of course yeah yeah the really good ones exist but even then they're not going to match the speed at which we are claude coding now).
Tried a bunch of open source pentesters, including strix (though we never managed to get strix to actually complete.) this project called shannon was the only one that we managed to get working reliably and it definitely smoked the output of one of the $10K pentests we did, (we had just discovered shannon after we had gotten the pentest firm's report, so it gave us a good baseline comparison). caveat: this was white box and our pentest firm did greybox, but neverthless I was still very unimpressed by what I got from the pentest firm. $50 vs $10K is not even a comparison lol with far far better results and sent our cto into near heart attack mode.
i think the days of pentesting firms are over - especially with mythos/5.5-cyber etc like capability coming into play. very exciting times ahead!
We've been thinking about testing this stuff out as well. Have you had a chance to look into stuff like XBOW/Horizon3?
I know the space is starting to get crowded, but I've been building one and I'd love to get feedback if you have time
"There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."
Let me guess though. They are SOC2 and ISO compliant right ?
One hopes not as this stuff would have come up in even a cursory audit of the product - but itâs kinda like Ratings Agencies / Moodyâs in 2008 right now until a big breach that occurs post-cert and they lose their credibility.
The number of FISMA-HIGH, ATOâd/RMFâd, security audited government systems Iâve seen with equivalent security issues isâŚsubstantially nonzero.
I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.
Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams Iâve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.
I've been trying to figure out what exactly or IT Security Team does. Because all they seem to do is create stupid impediments that actually push people into making work arounds that make everything less secure.
For example, they won't create for me an MS Entra ID App Registration for our internal project Because Security Reasons (they literally won't tell me why). So instead, I use Integrated Windows Authentication, which is about as secure as a hotel bar patron charging to "his" room.
They are insisting everyone start RDPing into a VM in Azure to do development work. Won't be able to get to the new source control system without it. Old system is losing its license, etc, etc. Oh, but the new system is not approved for storing CUI. So... what the actual fuck are our AFSIM developers supposed to do?
These VMs are 1/4 the hardware specs of my laptop in almost every dimension, yet still somehow car 50% more to rent per year than the entire purchase price of my laptop. Plus they are timesharing is in them, 4 developers per VM. It's not like we live in majorly different timezones. We're either all going to be on from 9am - 5pm EST or we're not.
Within these VMs, I have absolutely zero ability to install any software or modify any settings. Even the god damn clock is set to GMT+0 and I can't change it to local time. Sure would be nice if the must visible clock in my visual field accurately portrayed the current time when I have the RDP session running full screen, which is basically the only way to run it without wanting to hammer drill my brains out.
I have heard rumors that a lot of the other developers have started working from their personal devices, because otherwise they are at a complete work stoppage on their work computers due to the cockamamie IT setup. So congratulations, IT Security Team. Good job.
I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI. Uhm, no? If it needs that, why would we spend that money and time? Why wouldn't Microsoft be the one to do that?
Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
Wait until we understand the depth of the current Mythos zero day situation. We already have an overall idea of whatâs to come but I donât think we can grasp the high level implications the vast array of these vulnerabilities have in store for us. I donât see/ say this in a doomsday-ish way nor the world coming to an end. It will sting a bit but overall itâs way overdue and spells opportunity for all, imo.
it won't end at mythos, that's just the one everyone knows about and obvious. think of what's going on behind the scenes, that's the real gold rush
Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.
The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.
It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.
Tenant scoping is important. Just ask Microsoft, didn't they have one right at bing.com? Oh, just every Bing user is vulnerable to have all Microsoft data (o365 emails for example) hacked. No biggie.
https://www.wiz.io/blog/azure-active-directory-bing-misconfi...
Two questions prompted by this disclosure:
1. I didn't see mention of a bug bounty program giving limited authorization. How do independent researchers do this with legal safety? Especially when DoD is involved?
2. If a researcher discovered a vulnerability at a DoD contractor, and the contractor didn't seem to be resolving the problem, is there a DoD contact point that would be effective and safe for the researcher to report it?
To answer the first question, a number of veteran independent researchers probably wouldnât have touched such a system. Plenty of companies will send their lawyers after you if you tell them that youâve discovered a vulnerability of some sort and wish to responsibly disclose. Even if you do things in good faith, the company has zero reason to assume the best from you and can hold a sword over your head by citing poorly-written laws that lean in their favor regarding computer fraud and abuse.
DoD does appear to offer a âDefense Industrial Base - Vulnerability Disclosure Programâ for all public-facing DoD/DoW systems.[1] However, this might not include contractor-controlled assets or services. I cannot view the HackerOne page that it redirects to (login is required) to view more details.
[1]: https://www.dc3.mil/Missions/Vulnerability-Disclosure/DIB-Vu...
The line between security research and espionage seems really thin.
> How do independent researchers do this with legal safety?
In my experience itâs usually foreign nationals from third-world countries doing drive-by beg-bounty testing. Presumably they donât much consider legality.
> Presumably they donât much consider legality.
Or the operation is not even illegal where they come from?
> Their initial reply from the CEO: "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"
Well thatâs pretty damning.
Should have been handled better, but some context is necessary:
If your name is associated with a startup in a visible leadership position you will get mass-spammed from people claiming to have discovered critical vulnerabilities in your system. When you engage with them, the conversation will turn into requests to hire them for their services.
So the CEO handled it poorly, but it's also not a great choice to withhold the details of the vulnerability in initial contact. If the goal was to get something fixed it should have been included in an easy-to-forward e-mail that could have been sent to someone who could act upon it.
Anyone who works with security or bug bounties can tell you that the volume of bad reports was a problem before LLMs. Now that everyone thinks they're going to use LLMs to get gigs as pentesters the volume of reports is completely out of control.
The number of spam "I found a vulnerability" emails you get as a SaaS operator is ridiculous, they never offer any proof of a vuln and just want you to confirm you have a bug bounty program (in which case they'll start scanning afterwards), or to pay ahead of time for the information or they'll threaten to release it.
Their response isn't damning to me. It sounds like they just assume they're one of these spammers.
I keep getting emails with the content like: "I found a critical bypass vulnerability in your app what is the appropriate channel to disclose it, and do you have a bounty program?"
I tried engaging and replying to them, and it inevitably turns into: "Yeah, we don't actually have the vulnerability, but you are totally vulnerable, just let us do a security audit for you".
I have a pre-written reply for these kinds of messages now.
Yeah, the signal to noise ratio on vulnerability reports is very weak, especially when the initial report withholds any detail.
I get tons of these messages too and the ones that do include details are the kind of junk you get from free "website vulnerability scanners" that are a bunch of garbage that means nothing -- "missing headers" for things I didn't set on purpose, "information disclosure vulnerabilities" for things that are intentionally there, etc... You can put google.com into these things and get dozens of results.
I run bug bounty for a fairly large OSS project and the amount of shitty/bad actor spam/beg bounties etc we get is huge. Like 95% of the emails to security@ are straight garbage
From the looks of it, they actually asked for a way to report.
email security@company
Sure that is perhaps a good way to inquire about the appropriate channels to disclose a security vulnerability, but email is not a secure communication method for sending the details about a security vulnerability
It's kind of insane to think that the state of email encryption is still so bad in The Future Year 2026.
No flying cars? Okay. Nobody traveled much beyond the orbit of the Moon? Dang. But email? We didn't even get reliable privacy separate from identity?
> Nobody traveled much beyond the orbit of the Moon?
Oh, don't think that outer space will let you escape the misery of email:
> "I have two Microsoft Outlooks and neither one is working": Artemis II astronauts
start there and handle everything once you get in contact with appropriate people
Yeah. I'm just saying how it could have been overlooked. Doesn't excuse it, though.
i have even more damning ones.
When the "good Samaritan" do not go to the vendor, they go to the client (i.e., they do not contact the DIB company, they contact the Gov agency).
I have seen government contractors getting pilloried, losing their livelihood when this happened. And, yes there is always a "quick fix offer" by the "good Samaritan" to the vendor and promised re-assurance to the Gov agency, only if this misguided vendor would go with their solution.
It is also not unusual to find out later on, that the identification or even the resource reported on was wrong - but by this time the Gov agency already punished the contractor and the reporting "good Samaritan" is laughing (sometimes to the bank).
they can get away with unethical vulnerability disclosure because think of the children, the threat to the nation, grandma off the cliff, and <insert your favorite cliche justification of malfeasance>.
Yes, sore subject.
That just sounds like good old business to me. When outside of public view, good businessmen are extremely cut-throat and unethical.
They could sell the next one to an adversary for a lot more money if they're going to act like that.
Yes, there are also many other lucrative illegal activities.
How is it illegal? Itâs information available to the public.
If you sell something to someone and they do computer crimes, you're going to have to prove that you couldn't've known that they're a computer crimer.
It's the same thing with selling general offensive security tools. You have to proactively make it clear that it's for testing and not criminal use. Otherwise, cops are going to assume you're complicit and make things shitty.
Isn't it also illegal to withhold knowledge of a vulnerability for payment? It sounds like it should fall under some variety of blackmail.
That would be even worse than our already bad system.
The system is already pretty bad because vendors underinvest in security, and then to fix it, researchers have to volunteer their time to investigate with no guarantee of payment. If the vendor could force researchers to hand over findings for free, nobody would want to do security research except hobbyists having fun. They're basically signing up for hours of tedious forced labor to explain vulnerabilities to the vendor.
I wish there was legislation that allowed the government to fine vendors for security vulnerabilities like this where the amount scales based on how much user data they leaked. And it could function like other whistleblower systems where a researcher who spots a leak can report it to the government and collect 50%. That way, if the vendor says, "We're not paying you," the researcher can turn around and collect the money from fines.
Vendors routinely get researchers arrested for breaking into their computers as well.
Legality aside there is no market for this really.
Data breaches of average people sell for quite a bit of money, often for phishing. I find it hard to believe no one would be interested in this.
Or any other dataset with a hyper targeted demographic.
I wonder if this is how Handala group recently stole the list of service members.
How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?
Probably based on insider info to some degree; if you already do any sort of work for the DoD, then that tends to help narrow the scope of the search for vulnerable things to exploit.
Yes. http://shodan.io
Feels like they were too nice. After 90 days of no response, why not just go full disclosure on them?
The CEO seems more interested in insulting people than securing his companyâs product.
Yikes, Schemata and that delinquent CEO should be held accountable.
https://x.com/strix_ai/status/2051361018450948511
Would be fascinated to know if this went through competitive procurement or if it was one of those Hegseth âletâs be lethal and ship broken shit to the warfighterâ procurements.
Was the app vibe coded?
a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)
fixed now
Thanks! Happy to have my comment hidden by the mods if they get around to it.
Perhaps the community could band together and crowdsource the moderation action through flags. Kidding.
appreciate the feedback!!
Honestly, I didn't know who Andreessen Horowitz was, until you spelt out a16z
Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.
Andreessen-Horowitz, who most people (and they themselves) refer to as a16z and have the eponymous domain name (a16z.com). They're one of the top VC firms on the planet -- exceedingly relevant to HN audiences and commonly discussed here.
> you'd rather say Andreessen-Horowitz, which is just as arbitrary as a16z
Yes. I know Andreessen-Horowitz and I donât know a16z. Reading the title i thought it will be about the cryptography serialisation specification. Turns out i was mixing it up with ASN.1.
> Their website is literally a16z.com
I hear now. Before this if pressed i would have guessed that they probably have a website indeed. If you would have twisted my arm my guess would have been andersenhorovitz.com (yup, with the typos. I learned the correct spelling today from your comment.)
> exceedingly relevant for the HN audience
We contain multitudes.
> Yes. I know Andreessen-Horowitz and I donât know a16z.
So the world needs to adapt to your knowledge instead of you learning to adapt to a often used, and well-known moniker?
They just want to sound technical.
I'll be honest - I was thinking authorization (a11n?) - so I didn't read it closely enough. But despite that, and being on HN from almost the beginning (with a different account I lost the password to), I still didn't know what a16z was, though I do recognize Andreessen-Horowitz.
Opposite for me, I've seen a16z tons of time on HN, and also the domain where sometimes, but the full name would have meant nothing to me.
I didn't either. This is an ancient debate that can never be resolved completely, though â because the articles that HN submissions point to don't follow a style guide and there are always assumptions about audience priors. Best to just resolve it and move on.
Sorry, I come here for hacker content.
apologies, just a vc firm
The guidelines require using the same title on HN as is on the original post.
oh apologies, thanks for the reminder
Even when the author submits? :)
Yes... unless we think it's fine to tailor a title to activate a particular reaction from the HN audience :)