[Update: Corrected title per first comment. Also, should you find any kind of vulnerability with SoylentNews, please send a description to "dev" at "soylentnews.org" and we'll address it as soon as possible. --martyb]
Submitted via IRC for AndyTheAbsurd
Almost a quarter of hackers have not reported a vulnerability that they found because the company didn't have a channel to disclose it, according to a survey of the ethical hacking community.
With 1,698 respondents, the 2018 Hacker Report, conducted by the cybersecurity platform HackerOne, is the largest documented survey ever conducted of the ethical hacking community.
In the survey, HackerOne reports that nearly 1 in 4 hackers have not reported a vulnerability because the company in question lacks a vulnerability disclosure policy (VDP) or a formal method for receiving vulnerability submissions from the outside world.
Without a VDP, ethical, white-hat hackers are forced to go through other channels like social media or emailing personnel in the company, but, as the survey states, they are "frequently ignored or misunderstood".
But that means that three-quarters DO, which I guess is good news. Or at least not bad news.
(Score: 1) by tftp on Thursday January 18 2018, @09:19PM (3 children)
No sane person wants to wake up in the middle of the night every ten minutes from the rattling sound produced by yet another yahoo who "just tries the doorknob on your house's door". Unwanted portscanners are like thieves who are "casing the place" to prepare for a later break-in.
(Score: 2) by Grishnakh on Thursday January 18 2018, @09:31PM (2 children)
Bad analogy. It's more like some "yahoo" who uses a tricorder to scan all the doorknobs in his condo building to see who forgot to lock their door, and then politely informs them so some dangerous or deranged person doesn't barge into their house (which is something that actually happened to me when I was young). If your door is locked, and you don't have any devices looking for the tachyon emissions (or whatever) from the tricorder scan, you'll never know you're being scanned.
Now if your argument is that public-facing servers have to look at all network traffic because of security concerns, so my analogy is invalid and the rattling sound at night analogy is more correct, then that's just what you have to put up with when you put your systems on the internet and invite public access. So the analogy here is that you're being woken up from helpful doorknob-testers because you've decided to live in a dangerous ghetto where people are frequently home-invaded.
(Score: 1) by tftp on Thursday January 18 2018, @09:58PM (1 child)
In your analogy the life expectancy of such a tester is very, very short :-)
With regard to the facts of the matter, 99.999% of all portscans are initiated by script kiddies from their home IP, and everyone should have concerns about their ethic. If they discover a door open, chances of them kindly informing you are negative.
(Score: 2) by Grishnakh on Thursday January 18 2018, @11:06PM
With regard to the facts of the matter, 99.999% of all portscans are initiated by script kiddies from their home IP, and everyone should have concerns about their ethic. If they discover a door open, chances of them kindly informing you are negative.
If that's the case, then sysadmins should be happy for the rare person who portscans them with the intention of kindly informing them of vulnerabilities.