Dailydave mailing list archives
Re: Equitablefax
From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Wed, 27 Sep 2017 09:30:40 -0700
If Equifax had a public bug bounty program, someone would have reported the Java RCE in March 2017 and picked up $10K or more for it. But no, Equifax did not have a public bug bounty program. Say what you will about the pros and cons of a bug bounty program, especially for financial institutions which "know better than the public how to protect themselves", but at least in this case a known issue would have been well documented much earlier. We should encourage other credit and financial companies to consider public or at the very least private bug bounty programs. It's a mess to operate them, but not patching a known critical web flaw ASAP that allows RCE is precisely the legal definition of negligence. Equifax should pay dearly for it. Perhaps it's time to consider federal Cyber Security Insurance laws for such companies which forces them to pay fees to operate on the Internet just like everyone that drives a car on the road? If you crash your car every time you get on the highway, or you damaged 140 million cars while driving, you would lose your license for some time. Why hasn't Equifax lost their license to operate on the internet for some time? How about a 2 year hiatus on their annual revenue to punish them? Just a thought. Maybe Halvar can chime in on why Cyber Security Insurance regulation like that is OR is not the answer. He has been working on that lately...
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Equitablefax dave aitel (Sep 27)
- Re: Equitablefax Steve R. Smith (Sep 27)
- Re: Equitablefax Kristian Erik Hermansen (Sep 27)
- Re: Equitablefax Chuck McAuley (Sep 27)
- Message not available
- Re: Equitablefax Kristian Erik Hermansen (Sep 27)
- Re: Equitablefax Katie M (Sep 28)
- Re: Equitablefax Katie M (Sep 27)
- Re: Equitablefax the grugq (Sep 29)