Casino Screwup Royale: A tale of "ethical hacking" gone awry

[InfoSec News <alerts () infosecnews org>]

https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/

By Sean Gallagher
Ars Technica
3/26/2019

People who find security vulnerabilities commonly run into difficulties when 
reporting them to the responsible company. But it's less common for such 
situations to turn into tense trade-show confrontations—and competing claims of 
assault and blackmail.

Yet that's what happened when executives at Atrient -- a casino technology firm 
headquartered in West Bloomfield, Michigan -- stopped responding to two 
UK-based security researchers who had reported some alleged security flaws. The 
researchers thought they had reached an agreement regarding payment for their 
work, but nothing final ever materialized. On February 5, 2019, one of the 
researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- 
stopped by Atrient's booth at a London conference to confront the company’s 
chief operating officer.

What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got 
in a confrontation with him and yanked off his conference lanyard; Gill insists 
he did no such thing, and he accused Wheeler of attempted extortion.

The debacle culminated in legal threats and a lot of mudslinging, with live 
play-by-play commentary as it played out on Twitter. Rapid7 Director of 
Research Tod Beardsley was one of the spectators. "My first reaction," 
Beardsley joked, "was, man, I wish a vendor would punch me for disclosure. Boy, 
that beats any bug bounty."

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_