Today I was contacted by a person claiming to be a white hat hacker, reporting a vulnerability and hoping for the bounty for his ethical Disclosure.
I am not a business owner (at least not yet) to be able to pay a bounty from the revenue and the vulnerability reported looks like something that even big companies struggle with.
At first I thought it is just your common spam. And it basically is, as I did not requested such email. But Something got me reading that email for longer. Finally I got dissuaded from simple act of deleting it, as the technical details presented in the email were fitting together, including the steps to reproduce. In fact, the insights were quite valuable.
Very similar topic has been already discussed on an Information Security StackExchange page and I would consider the details there an interesting read, even without being affected. Users there confirmed my findings about the real added value of receiving such notice from the ethical hacker.
I think that there will be more and more security related stuff happening in the future, whenever for an individuals or for businesses. But on the other hand, it is another thing to keep looking at, scrambling to fit into our already tight schedules. And I do not think it is easy to find time and resources to patch security issues as one of our primary tasks, unless we have already established ourselves on the market quite tightly.
It was easier to ignore security related threats in the past, but with the recent spike in ransomware related attacks, the urge to act is only getting more pressing every passing day.
This is a 45th post of #100daystooffload.