It’s really not my place to ever command respect from anyone; and that’s not just because I’m a furry–which has always been towards the bottom of the geek hierarchy. I am well aware how little weight my words truly carry, even to other furries, as well as how little I really matter.

But the tech industry holds such little regard to independent security researchers, and values their time so poorly, that it’s no wonder so many would-be hackers feel discouraged from ever learning.

So, I must ask tech workers (especially programmers… and yes, including open source developers) the whole world over to listen for a minute–not for my sake, but for the collateral damage you might be inflicting on newcomers without realizing it.

Finding vulnerabilities is, itself, a contribution to your project!

This might sound obvious when I say it like that, but I’ve had many people respond to me disclosing a vulnerability disclosure with a demand to spend more of my time writing, testing, and submitting a patch to the project in scope.

When I found and disclosed vulnerabilities in Matrix’s Olm library last year (which they never fixed, and then admitted they knew about for years), I was flooded with strangers demanding to know where the patch or pull request is, as if I have some moral obligation to do free labor on top of the free labor I already provided.

It’s not just Matrix. I’ve lost count of the times this story has played out for me:

1. I find a vulnerability in a software project (whether open source or discovered from reverse engineering).
2. I try to report what I found to them, so they can fix it.
3. They point me to their bug bounty program.
4. I begrudgingly file it with their bug bounty program, with as much details and concise explanation as I would provide in a GitHub issue.
5. The people running the bug bounty program demand a fully weaponized proof-of-concept exploit in order for my report to be taken seriously.
6. I silently ponder whether it’s worth it to risk losing my account on that platform to email Full Disclosure instead.

To be clear, I know what it’s like to triage reports from bug bounty programs. It’s a lot of garbage most of the time, and Generative AI has made it so much worse.

But when someone opens a report with, “I’m not looking for a bounty, this is where I was told to send reports,” it’s a little insulting to get the same treatment as the 10,000th “vulnerable to self-XSS via browser developer tools; pay bounty now” report that week.

Now, this isn’t my first rodeo (by any means) and I have relatively thick skin.

Most newcomers will not.

Please think, for a moment, about whether you want them to feel discouraged and that their time isn’t valued.

Last month, a reader of my blog read me into a vulnerability they disclosed to a vendor that treated them the same way I discussed above.

Their report referenced some of my blog posts and open source work. It was kind of cool to see!

But when I asked what their next steps are (since the vendor’s response was kind of lame), their response was basically:

“Nothing, I give up.”

I’m kind of getting tired of picking up the pieces caused by mistreatment of amateur hackers.

It Can Always Be Worse

The history of independent security research is full of horrible incidents and bogus legal peril–where someone doing everything right ends up profoundly disrespected by the people they were trying to help.

There’s a reason the Pwnie Awards usually has a category for “Lamest Vendor Response”. This isn’t just an American problem; the Chaos Communications Congress has an ongoing saga involving legal threats to security researchers by the Polish rail vehicle manufacturer, Newag.

As bad as these situations can be, they’re relatively rare and often gather lots of media attention.

The problem I’m trying to highlight today is more banal and commonplace.

Responsible Disclosure, Isn’t

These are the actual categories of vulnerability disclosure:

• Full Disclosure
• Coordinated Disclosure
• Non-Disclosure
• Privately disclosing to a third party (e.g., selling to an exploit broker) and watching the world burn

That’s it. This list is exhaustive.

The term “responsible disclosure” is a harmful, moralistic term that even the person who coined it now discourages in favor of “coordinated disclosure” instead.

There is no one disclosure policy that fits the criteria for “responsible” in all situations. Anyone that claims otherwise will inevitably summon a long and tedious message board debate on the topic.

When it comes to cryptographic flaws that put users’ privacy at risk, immediate full disclosure is actually the most responsible thing to do.

In most other cases, coordinated disclosure is preferred, especially if the knowledge of the vulnerability is easy to turn into an exploit that harms users.

When most people say “responsible disclosure” they really mean “coordinated disclosure”, where the vendor pledges to fix the issue and release a new version before the vulnerability details are made public. And they must eventually be public, unless you’re really practicing non-disclosure.

Non-disclosure is what a lot of software vendors truly want. Without disclosure, the public remains in the dark about the vulnerabilities that could have impacted them.

If someone opts for full disclosure on a product you care about, emailing the researcher demanding they spend more of their time writing a patch too is more than a little uncalled for.

Don’t Assume Vendor Reputation Is Our Top Priority

The most basic rule of professional ethics for security research is actually quite simple: We work to protect users first.

When it comes to the reputation of the vendors with vulnerable product, we aren’t automatically obligated to even care how bad a vulnerability disclosure makes you look.

The primary exception to this general rule is when you’re already paying us for our time and expertise (i.e., there’s already a Statement Of Work in place).

That isn’t to say that the relationship between security researchers and vendors has to be adversarial. It certainly doesn’t! But assuming that security researches “owe you” is kind of rude.

This sort of entitled attitude in response to research happens more than you’d think, especially when the vulnerability is found in open source software.

Programmers Can Be The Worst Offenders

Last year, I found a really dumb way to cheat at a multiplayer indie game on Steam, and emailed the developer with the details of the problem, some ways it can be leveraged, and with a simple fix for the problem. (It was basically a one-liner.)

I never received any direct response (not even an angry one). After a while, I tried to escalate through their Discord moderators just to make sure the developer even saw it (a.k.a., that it didn’t get spam-filtered). No response.

Ultimately, I discovered my account was deactivated when the developer finally did get around to implementing my recommended fix, nearly a year later.

But What About

I touched on this very recently, but ever since I told furries to stop using Telegram, I have been poked and prodded in every communication medium in existence with messages that are formatted as “What about [other app]?” It’s been death by a thousand cuts.

And lately my reaction is, “What about it? There are a lot of apps! I cannot have a comprehensive, informed opinion on each and every single one of them without expending a lot of my personal time to review their design and implementations.”

But I feel conflicted about this.

As much as I’d hate to smother someone else’s genuine curiosity, I really don’t appreciate strangers telling me how to spend my personal time. (I already have a full-time job, y’know!)

Yet it gets truly frustrating when I’m queried about a project that my industry peers just published an audit report about not much more than a month ago.

The ink’s barely dry on a project several cryptography experts spent a full week of their life working on, and you’re already ignoring it exists? What was their time worth to you?

Are you starting to notice the pattern?

We all have a finite number of hours (though we generally don’t know how many).

If you do not value the time of security researchers, do you even truly respect them as people? (And if not, then adversarial tones from hackers shouldn’t be a difficult goddamn mystery for you to solve.)

This tendency of discounting each other’s time certainly isn’t exclusive to security researchers (ask anyone that has ever worked in a retail job about that). However, the circumstances in which security disclosures occur are a little special, in that the researcher has ethical obligations–and yet, their time is still often blatantly devalued.

It’s not only in overt acts that the technology community shows they don’t value the time of security researchers, but also in subtle, unspoken ways.

Please Reconsider

It doesn’t need to be this way. I’m sure we can all do better.

And, like, even if you don’t like me in particular? That’s fine. You don’t have to.

But spare a moment’s thought for other security researchers. I personally think they matter, even if I don’t.

Someday, I’ll run out of hours, and then how people want to treat me will be completely inconsequential, but how people treat each other will persist through tradition. You’re all stuck with each other for the rest of your lives.

---

Header art: Harubaki and CMYKat.