this post was submitted on 28 Jan 2024
476 points (99.2% liked)
Technology
59161 readers
2294 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How do you know if a company is going to pay to fix?
Do you just have to take a chance and notify them?
Either I make a bunch of money, or they say fuck off, or they send me to jail? It seems too iffy
Bounties are a bit nebulous.
Actual pen testing companies have red teams (attackers) that have a scope of what they are allowed to target, and how they go about it.
For example, just because a red teamer can get into the data center to do stuff locally doesn't meet the scope requirement of testing their web page externally. They would be prosecuted most likely.
Pen testing companies also have lawyers, at least they should, who help negotiate scope and what is legally allowed and in what context.
Due to the secrecy needed for some tests, the security staff may not be aware a test is in place. From what I understand, generally people have some sort of paperwork on their person, or at least the contact information of someone at the company with the authority to authorize this red team pen test.
That being said, cops may still get called, you may still get arrested, and have to deal with the courts.
Or worse, some trigger happy security guard shoots you.
I'm just studying that stuff though at the moment, so take what I said with a grain of salt.
I assume the idea is, that the company then has a contract with the hacker, so they can no longer sue him. They essentially hack themselves via proxy.