
The Property Jungle: I'm a security researcher, get me out of here - dchest
https://paul.reviews/the-property-jungle-im-a-security-researcher-get-me-out-of-here/
======
g0v
I feel as though both parties could have handled that better. Contacting a
company about a security vulnerability via a tweet, there must be a better way
about that. And the company's response seemed pretty disproportionate to me.

Maybe someone will learn something from this, or maybe not.

~~~
merpnderp
He clearly stated that they only had a sales email available on their site,
and he politely asked for a DM for an appropriate way to contact them. If a
company has an active Twitter account it is appropriate to contact them
through it. I've done this several times with quite happy results on both
ends.

~~~
g0v
Well, good to know. I guess I'm not familiar with how things can be done.
Thanks for the heads up.

------
tim333
Hmm... Pretty much the first line of the Property Jungle's website is "Call us
on 0808 1800 178." I'm not sure why his first action was to tweet "critical
security issue" publicly. It can see why the Property Jungle guy would have
thought it was a revenue extraction thing.

------
raesene2
Its a shame to see the company react like this, but the author is taking a bit
of a risk here.

Finding sql injection requires active testing of the site which, without
authority to test, may fall into a gray area of uk law about whether its in
breach of the computer misuse act.

Now you'd hope the company will take this as intended, but some organisations
will take being embarassed like this poorly.

------
marak830
Bloody hell, way to drop the ball. Im quote grateful i dont work in this guys
field, id flip out at someone within a week.

~~~
stewartbutler
No matter how egregious the security risk is, I have a hard time taking anyone
who uses twitter to contact someone they want to do business with seriously.
Or any social media, tbh. It comes off as unprofessional to me, and it is
especially unbecoming if you are a security researcher and this is the _first
resort_. It immediately removes any chance of them handling the issue
discreetly, and puts them in a defensive position. Why the hell would you do
that?

~~~
chickenheads
the author of the blog post didn't publish his email to the guy who's site was
vulnerable. Only the site's reply. I could only imagine how the original email
to the company was worded.

There's something here about treating someone, even an ignorant idiot (whose
only fault is being ignorantly and aggressively presumptuous), with a basic
level of professional courtesy. You either foster that basic level of respect
or you act like a child in need of attention. I would never hire this security
researcher if I read this blog post. Communication is one of our most
important skills.

~~~
pm24601
Who cares about hiring Paul? TPJ is ignoring the vulns that Paul is trying to
inform them of discretely.

As a consequence of TPJ's attitude - Paul is doing the next best thing of
letting TPJ customers know that they are at risk.

------
contingencies
Bad communication all around. At least the MD states his thinking. Security
world is full of puerile one-upmanship. It's far harder to build something
than to break it.

------
colomohare
People who manage social media for companies are trained to filter out the
shit before it reaches the managing director. This tubby bitch decided to try
and boost his self importance because he THOUGHT he found a vulnerability by
slagging them off to their customers and then has the gall to whinge about
someone being unprofessional. The mind boggles!

------
jason_s
DM = ?

~~~
dchest
Direct message (Twitter's feature)

