Hacker News new | comments | ask | show | jobs | submit login

It sounds like they've confused a) users submitting results from static analysis that wastes time, b) users submitting demonstrable vulnerabilities, and c) license agreements.

a) is bad, and the users should just be turned away. b) is good and far better than selling them on the black market. c) is... who cares it's a license agreement.

She's mostly focussed on (a), it seems, and I can understand the frustration - all too often we get lengthy missives from client consultants along the lines of "Ran scanning tool. Suggests that the version of PHP.net you are using is vulnerable to LSASS and STUXNET vulnerabilities, our client is terrified, pay me off to make the pain go away." We get a genuine vulnerability reported once in a blue moon.

(b) is good, but her point that them spending their time doing static analysis of oracle's software is a monumental waste of time is perfectly valid, if their root password is password and the firewall is just some sheetrock in the basement.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact