Information Security News mailing list archives
Casino Screwup Royale: A tale of "ethical hacking" gone awry
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 28 Mar 2019 06:34:03 +0000 (UTC)
https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/ By Sean Gallagher Ars Technica 3/26/2019People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations—and competing claims of assault and blackmail.
Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company’s chief operating officer.
What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.
The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter. Rapid7 Director of Research Tod Beardsley was one of the spectators. "My first reaction," Beardsley joked, "was, man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty."
[...]
-- Subscribe to InfoSec News https://www.infosecnews.org/subscribe-to-infosec-news/ https://twitter.com/infosecnews_
Current thread:
- Casino Screwup Royale: A tale of "ethical hacking" gone awry InfoSec News (Mar 27)