A few days ago, someone found a vulnerability in Arc Browser that let them execute any arbitrary JS code on a victim’s browser without any clicks. Then, a tweet was making the rounds mentioning that a POS software suite had all of its API endpoints publicly exposed.

Tough shit! Security is a super hard, ever evolving target for any software project. Mistakes happen, you learn lessons, you patch/audit/update code & processes, and hopefully, your software is better for it in the future.

However, in both these cases, the reaction from the corporations has been less than optimistic. The former company paid out a meagre US$2000 bug bounty after first refusing any bounties, and latter chose legal threats. As far as I can tell, both corporations are well funded and venture backed, so such behaviour is sending out the wrong signals.

Firstly, this is signaling to the wider security community that bug reports for their software products are valued poorly. This means that the most skilled hackers, who hope to earn a fair living reporting bugs, won’t be encouraged to audit their software. Economically, it makes sense for these competent hackers to report bugs to other corporations that do pay out fairly, if it takes roughly the same hours of their time to find bugs of the same severity.

Next, unscrupulous characters will try to exploit findings instead of reporting them. If the finding is worth not much, or zero, or worse – worth being dragged into the Indian justice system – folks might as well share it for the lulz and earn some cred in their community. This opens up gates for financial damage or reputation damage for corporations in the future, even if they are operating a legit bug bounty program.

But I’m guessing most importantly, this signals to these corporations’ existing engineering teams and other engineers that might want to join them in the future, that security and fairness of process isn’t valued as part of their engineering DNA. Would a competent engineer join an organisation that hushes off any bugs or one that openly discloses them, learns from mistakes and fixes their code and processes for future resilience?

The technology leadership at these corporations probably needs to reflect on their handling of these disclosures and take a more forward looking view on the matter. If you’re ever in a similar position, I hope you do!