06-06-2024, 05:22 PM
Just wanted to talk some shit about the current cybersecurity worlds.
When you are working with gov or any private company's security team you might need to think about - why people like cracking your company.
Sometimes people like to ask e.g. why people enjoy doing blackhat, you still can earn money with being a white hat.
Let me tell you why, those blue team members are ass hole.
If you choose to be a whitehat, sometimes your report will be rejected or marked as informative just because they don't understand the impact and they don't think this will cause a money lose.
You can't give them something to see as you are being restricted by the coc, rules etc.
You cracked their system, show them
they will say, no, you are working too much and not within our scope. This is not a risk / we have hired a vendor, they are certified so your finding is not a risk.
sorry, this is a challenge with us and we know that but i can only mark you as informative.
more n more ridiculous reason you will see.
im not saying those things like information disclosure case of something that really not that important. Even you bypassed, executed well, they will still the same.
It leads me to think, what's the point on being a white hat?
Not even a grey hat, people will ignore your email and pretend nothing happened. check out how at&t said before.
I quite like the sentence from Shiny before telling the reporter, "I don't care if they admit or not, I just selling the things" (something like that, i can't rmb exactly the same)
When you are working with gov or any private company's security team you might need to think about - why people like cracking your company.
Sometimes people like to ask e.g. why people enjoy doing blackhat, you still can earn money with being a white hat.
Let me tell you why, those blue team members are ass hole.
If you choose to be a whitehat, sometimes your report will be rejected or marked as informative just because they don't understand the impact and they don't think this will cause a money lose.
You can't give them something to see as you are being restricted by the coc, rules etc.
You cracked their system, show them
they will say, no, you are working too much and not within our scope. This is not a risk / we have hired a vendor, they are certified so your finding is not a risk.
sorry, this is a challenge with us and we know that but i can only mark you as informative.
more n more ridiculous reason you will see.
im not saying those things like information disclosure case of something that really not that important. Even you bypassed, executed well, they will still the same.
It leads me to think, what's the point on being a white hat?
Not even a grey hat, people will ignore your email and pretend nothing happened. check out how at&t said before.
I quite like the sentence from Shiny before telling the reporter, "I don't care if they admit or not, I just selling the things" (something like that, i can't rmb exactly the same)