
Casino Screwup Royale: A tale of “ethical hacking” gone awry - furcyd
https://arstechnica.com/information-technology/2019/03/50-shades-of-greyhat-a-study-in-how-not-to-handle-security-disclosures/
======
bitexploder
These guys (hackers) were not very ethical at all. They found an open Jenkins
server and then compromised it. That’s illegal. You don’t do that to “find out
what is going on”. The rest of the article is pretty accurate regarding
vulnerability disclosure to smaller companies. My team faces problems similar
to this all the time.

~~~
mrguyorama
My interpretation is that they were attempting to figure out the owner to
disclose to. Is there a legal way to do so that doesn't involve leveraging a
vulnerability and indeed "hacking" a system?

~~~
bitexploder
Not always. You start with the IP and try to work from there.

My general rule is you (1) never attempt to authenticate to a system. (2) use
only publicly available information. Think GET verb only or equivalent. Don’t
modify state on purpose. You could do a lot with Jenkins to find an over.
Morally, what these guys did is acceptable IMO, but, ethically, no good.

------
HorstG
The vendor tried to hide the vulnerability from the public, its customers and
its future business partners and to delay disclosure until after a favourable
business deal. What the hackers did wrong here is failing to recognize that
immediate full and public disclosure is the only ethical course of action in
such a situation.

