I found a vulnerability. they found a lawyer

Original Article ↗ Hacker News Discussion ↗

Organizational incentives vs. security reality

  • Many commenters relate similar experiences: severe security flaws met with denial, defensiveness, or attempts to bury evidence rather than fix root causes.
  • This is seen even in prestigious tech firms; basic organizational politics, ego, and fear of blame often override best practices.
  • Some argue this validates the suspicion that many widely publicized breaches stem from long-known but suppressed vulnerabilities.

Legal and ethical risk for vulnerability finders

  • Strong disagreement over the researcher’s actions:
    • Critics say enumerating accounts and accessing others’ data (including minors) crosses a legal line in many jurisdictions (e.g., Germany, US), where merely “knowing the door is open” is different from walking through it.
    • Supporters argue you often need a concrete proof-of-concept to be taken seriously, and existing laws make it almost impossible to distinguish “white hat” from “black hat” purely by behavior.
  • Several recommend: stop once the flaw is obvious; don’t dump data; disclose anonymously (e.g., via Tor) or through intermediaries; consider that writing about details later is tantamount to a confession in some regimes.

Responsible disclosure, wording, and escalation

  • The 30‑day fix-or-public-disclosure line is defended as standard infosec practice, but lawyers and non-technical managers are likely to read it as blackmail/extortion.
  • CC’ing Malta’s CSIRT on first contact likely triggered regulatory clocks (e.g., GDPR reporting timelines), pushing the company into “maximum liability management” mode and toward aggressive legal posturing.
  • Some lawyers in the thread say the company handled it badly, but also note that public disclosure of an exploitable flaw can itself be legally problematic in parts of the EU.

GDPR, Malta, and enforcement

  • Multiple comments claim GDPR is theoretically strong but weakly enforced; token fines years later are common, so suppressing reports can be a rational (if unethical) corporate strategy.
  • Malta is described as having a particularly hostile environment for security researchers, with past cases of students being prosecuted after responsible disclosure; this likely amplifies local chilling effects.

Bug bounties, intermediaries, and proposed reforms

  • Bug bounty programs and platforms (e.g., HackerOne) are portrayed as inconsistent: sometimes helpful, often dismissive, occasionally baiting researchers to cross legal lines (“prove it by causing real disruption”).
  • Suggested improvements:
    • Legal safe harbors and strong protections for good‑faith researchers.
    • Mandatory/structured bug bounties scaled by impact; or trusted third‑party intermediaries / national CERTs with legal shields.
    • Stronger, auditable security requirements and professional accountability (analogous to licensed engineers in civil or accounting fields).