
Hacker Obtained Children's Headshots and Chatlogs from Toymaker VTech - fabian2k
http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech
======
laarc
It's usually possible to break into a target's network. The article might want
to mention what you should do if you find a vuln.

The first thing to do is to check whether the company has any disclosure
programs set up. This is somewhat rare, but companies are starting to pay
regular bounties for this type of thing:
[https://hackerone.com/hacktivity](https://hackerone.com/hacktivity)

If there's no program in place, contact a pentester and ask how to proceed.
There are a variety of pentesters available on Twitter who will absolutely
jump at the chance, so if you're looking for a way to responsibly disclose a
bug, that's one way to do it. If you're worried they might try to claim
credit, well... Don't worry about that. No one's interested in tanking their
own reputation by pulling a stunt like that. The discovery is much more
valuable to you than to them.

What you should _not_ do is continue to probe the vulnerability beyond what
you initially discovered. E.g. if you got access to a server somehow,
disconnect and seek a way to responsibly disclose the vuln. Don't try to see
how deeply you can breach, and don't run commands to poke around at their
data.

If you're a teenager, there are pretty much two options: Show the vuln to your
friends, or try to disclose the vuln responsibly. Showing it off is usually a
bad idea. They'll probably pressure you to show off, which makes disclosure a
little more difficult. The cred you get won't matter long-term. But impressing
your peers is a pretty powerful force to try to persuade against in an HN
comment. Whatever you do, don't tell anyone but a pentester any specific steps
to replicate your finding, else you'll be on the hook for whatever silly thing
they do.

Your vuln may seem very important, and maybe it is. But you're also usually
the first one to run across it. Even if it takes 17 months to resolve an
issue, companies in the current social climate are almost all willing to work
with you to get it done. This is where contacting a pentester can help,
because they can contact the company on your behalf, or at least advise you
about what to say when you contact them. Again, don't worry about them
claiming credit; they have no interest in such things.

The article raises a few points I'll pass on addressing. I wanted to give a
perspective on how to disclose a vuln that you stumble across.

Emphasis on "stumble across." The world is in a strange state right now where
it's not really a good idea to go looking for flaws unless a company is
actively asking you to seek them out, like Twitter.

