How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]

Recently I found a leaked database of a company and I do not know how to go about contacting the company. It is so weird because I cannot find any type of Information Security contact email to report this to. It just has a support email. I… Continue reading How do I inform a company I found a leaked database of theirs on the Internet? [duplicate]

Bug Bounty Programs Are Being Used to Buy Silence

Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers: Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug… Continue reading Bug Bounty Programs Are Being Used to Buy Silence

Marriott Was Hacked — Again

Marriott announced another data breach, this one affecting 5.2 million people: At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved: Contact Details (e.g., name, mailing address, email address, and phone number) Loyalty Account Information (e.g., account number and points balance, but not passwords) Additional… Continue reading Marriott Was Hacked — Again

What is the oldest security bug bounty / vulnerability disclosure program? [closed]

I’m aware that Facebook had a paid bug bounty program quite early. This article notes the 5th anniversary so the program existed in 2011.

I’m curious about other programs, regardless of:

Whether a service (e.g. Facebook) or a software v… Continue reading What is the oldest security bug bounty / vulnerability disclosure program? [closed]

DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

The DHS is requiring all federal agencies to develop a vulnerability disclosure policy. The goal is that people who discover vulnerabilities in government systems have a mechanism for reporting them to someone who might actually do something about it. The devil is in the details, of course, but this is a welcome development. The DHS is seeking public feedback…. Continue reading DHS Mandates Federal Agencies to Run Vulnerability Disclosure Policy

NordVPN Breached

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other … Continue reading NordVPN Breached

NordVPN Breached

There was a successful attack against NordVPN: Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could… Continue reading NordVPN Breached