I wrote up a formal responsible disclosure policy. I take the security of my customers seriously, and as such I have gear and hosting as prizes it anyone finds anything. Not as fancy as a policy like Google’s, but I think every organization should have something (especially after the Panera Incident).
Cheers,
~H
Telegram has been around for a little while now, and its user base is growing. However, despite their attempts to be the secure system to beat out the larger social networks, they have one particularly alarming policy: They will transfer a username unilaterally from an established account to another.
I found a massive Key Space Reduction Attack on locks sold by Home Depot. The flaw lies in their procurement process, rather than the locks themselves, and enables an adversary to reduce the possible key codes for locks based on the time of shipment, identified by the approximate time of install. For commercial settings where building permits indicate construction time lines, this can give a significant advantage to an attacker in that he may use an actual key and not leave a trace. The flaw is caused by the Home Depot’s processes, not their lock vendors who have urged them not to refuse randomization.
I found a spreadsheet containing a nuclear materials database credential on Google. The technique used was very simple, but I have to wonder why such a document misplacement was overlooked. Maybe people are afraid to tell them they just stumbled upon a nuclear system fearing they might get disappeared. Well, I decided to contact them and hilarity ensued. The database was relatively benign, but the saga went on for a little longer than it should. This also resulted in my first interview for a major publication, The Guardian.