There needs to exist a legal entity/non-profit or company that acts as a shield and/or escrow for these kinds of situations. Basically, as a researcher you can have them deal with the company/organization for you, including dealing with any threats, collecting any bounties due, and such. The company could have domain expertise of the industry, laws, and generally be a force against these companies -- the analogy would be a lawyer.
This is for cases where you want the credit but still want the protections afforded by being somewhat anonymous. Similar to WikiLeaks but more focused on allowing the company or entity to solve their problems and representing fairness on all sides.
There is. Carnegie-Mellon University's CERT. Here's the form for reporting a vulnerability.[1] For this kind of problem, select "Request Vulnerability Coordination Assistance". You can even do this anonymously.
The report isn't public yet, but it's on record. You've reported it to the organization funded by Homeland Security to take such reports. In 45 days, CERT will disclose it to the public.[2]
CERT may contact the bank themselves. If you do, you can cite the CVE vulnerability number they give you. This gives you some advantages when talking to a bank. "Have your technical people contact Homeland Security's US-CERT at (888) 282-0870 regarding CVE-NNNN" will usually deal with a bank's people. They can't make the problem disappear.
I don't recommend submitting to CERT unless you genuinely don't care about the outcome of reporting.
Yes, reporting to CERT is "safe"; you almost certainly aren't going to get sued for doing it. But don't count on CERT coordinating a fix or even figuring out how to report flaws to. It's unlikely that anyone at CERT knows who "Zecco" is.
CERT themselves ask you not to submit to CERT unless your vulnerability fits some specific criteria. "Unresponsive vendor" is one of those, but CERT's fine print says that they prioritize severe, multi-vendor vulnerabilities.
Anyone who runs a bug bounty program can tell you how unrealistic it is to rely on CERT for this stuff: triaging reports for just one vendor is a full-time job. CERT wants to get early warnings of things like OS and platform vulnerabilities. I don't think it's a good idea to report those to CERT either, but regardless, CERT isn't set up to handle your CSRF report in some random website.
Even if CERT doesn't do much actively, you've put the problem on record and can refer to that record when dealing with vendors. Most companies can ignore security vulnerability reports if they choose, but a bank cannot. They have an obligation to report the vulnerability to their auditors. It triggers certain Sarbanes-Oxley reporting requirements.[1] It's easier to fix the problem than deal with the problems of having a logged, unfixed vulnerability.
Sure banks can. Source: did software security for a number of banks. Big banks are chock full o' CSRFs, XSS, SSRFs, and SQLIs. They get found all the time. For every valid report they get, they get 3 that aren't valid. Nobody's hair achieves ignition over this stuff.
There are two types of financial service organizations: the big banks, and random firms (like Zecco was, before Ally bought them).
There's no point in contacting CERT about a Bank of America vulnerability. CERT won't prioritize the report and won't know the right person to talk to, but also, you're a Google search away from finding out who to report to at Bank of America (spoiler: it's Hacker One). These kinds of things don't happen at BofA, not because vulns are hair-on-fire there, but because there's a process in place to handle them.
There's not much point in contacting CERT about a Zecco vulnerability. CERT doesn't know who to contact and doesn't know how to find them and won't spend the time trying. CERT isn't going to publish an unconfirmed report. All CERT is going to do is go to Mitre; you can do that too, and note the guidelines for what will get you a CVE.
The issue here is just TANSTAAFL. It takes a fuckload of effort to triage and confirm vulnerability reports. There's no magic "this is a real vulnerability" certificate you can get CERT or Mitre --- or really anyone who doesn't spend a lot of money to maintain the capability for their own products. If there was, Hacker One wouldn't make half their money selling triage services. :)
>For every valid report they get, they get 3 that aren't valid.
Because taking the time to write and to submit an invalid report is a total waste of the reporter's time. Reports aren't the type of thing that someone will accidentally say "oh this is a severe vulnerability! here's some cash" even though the researcher has submitted bullshit.
So can you talk about "3 that aren't valid" for every valid report? Who makes these? Weird, obscure cranks, of the type who in other industries would be churning out perpetual motion devices? I would expect 80%+ of vulnerability reports to be serious and real - quite different from what you just wrote.
Whether you run a bug bounty or not, there are now hundreds of people in Asia and Eastern Europe who hope to make $500 every time they find a page without X-Frame-Options set. A lot of them have pirated Burp Suite and are hoping to simply cash in on the scanner output.
As someone who has been on the receiving end of a bug bounty's mailbox, 3-to-1 sounds about right. We got a ton of invalid "security vulnerabilities" that were essentially either people reporting OAuth as a vulnerability or not understanding how XSS actually worked. Most of these came from teenagers in southeast Asia.
I've also seen lots of reports of some serious vulnerability - "major product X doesn't validate TLS certificates" - where it looks like the reporter forgot they had added their own cert to the OS's trust store.
Here is some context for what I'm about to write: I managed a bug bounty for a sizable arm of BBVA. I have temporarily managed bug bounties for many smaller tech companies. In 2014, I surveyed the the industry as BugCrowd and Hackerone were coming into prominence.
Bug bounties, on average, have a signal:noise ratio that is horrible. I advocate for the programs completely, but they require a lot of planning in order to prevent them from becoming overwhelming. I personally know security engineers at Google and Facebook whose full time job is sorting through nonsense bug bounty reports.
What Tom said about people in Eurasia wanting to cash in on bug bounties is spot on. If you start a bug bounty program, expect to get a deluge of nonsense reports for bullshit like having the Trace HTTP method allowed on an API endpoint. For every one valid report, three - five will be bullshit. Of those that do not reproduce, half will be incomprehensible, and the other half will blatantly ignore the program guidelines or be low effort spam ("content spoofing"). If you offer a cash reward, expect the ratio of valid to invalid to be closer to 1 in 10.
It's a numbers game for these people. The security research industry is bifurcated between rare, sophisticated and highly paid freelancers who do it mostly for passion outside of their day jobs, and opportunistic amateurs who couldn't write a curl command.
BBVA? I have been trying to get in touch with them regarding an app of theirs (Access Key Extranet by BBVA Bancomer, S.A.
https://appsto.re/us/4QEKfb.i) which does not properly validate TLS certificates.
A lot of vulnerabilities are basically the same thing. From what I've seen, even legitimate researchers will have form reports. It's just an obvious optimization.
From there it's pretty easy to see that "vulnerability spam" would be a thing.
Why not? If anything the story above shows that a financial institution very much can and post-2008 I believe there many things a government cannot do but there are very few things a bank cannot do.
There was a guy who got thrown in prison for bringing a vulnerability to the attention of AT&T. He was thrown in solitary confinement for over a year. Then his sentence got vacated. What did he do as soon as he was released from prison?
He went on CNBC to argue that independent security researchers should start a hedge fund that short sells the stocks of companies affected by vulnerabilities. https://youtu.be/jxUWRRDdhVI
He seems to be of the opinion that this would be a less risky strategy than bringing those issues to the attention of many companies. He also believes that profit incentives for researchers will serve the public interest, because it creates economic disincentives against big companies having insecure software.
He didn't "bring the vulnerability to the attention of AT&T" he fucking told Gawker first. Furthermore, he's part of a number of black hat hacker groups, including an anti-semitic one despite the fact that he's Jewish.
There are examples of honest people getting fucked over, but this isn't one of them.
Honestly, that guy went to jail for being an asshole more than anything else. If at any point he had attempted to curry favor or at least neutrality, the outcome likely would have been far different.
As it stands, literally everyone who would have been in a position to be reasonable was someone he'd actively worked at pissing off. Not in the sense of someone he'd pissed off in the past, but as someone he was actively pissing off in conjunction with this issue. The moral of his story is that there's room for aggressive incident reporting, but not if one is going to be an insufferable jerk about it.
Ha, true. And the hedge fund should make its trades public. "Sir, the vulnerabilties hedge fund just bought options on our stock.". "Fuck, which of our software is it?"
Then the company could contact the fund holders for information and they could tell them "we'll let you know about the vulnerability in a month or two".
HackerOne will work with friendly hackers on a best effort basis to verify the legitimacy of a vulnerability, reach out to and verify the identity of an individual at the affected organization, then share the vulnerability with the organization so it can be resolved.
Seems like it address most of the problems of educating the organization so they don't threaten you.
Just that they have a name that will immediately be without any trust at any non -tech company. Basically mentioning "hacking" will make any non-technical CEO shiver and call the lawyers.
It is unlikely that there is a company in the US that has a security team that hasn't heard of H1. They're kind of a big deal. Since they're the ones handling the first contact in these situations, you can safely let their name be their problem; they know how to explain themselves.
The more realistic concern here is that for these kinds of findings --- CSRFs in random web applications --- there simply isn't going to be a contact at the target company, and H1 isn't going to find one for you. That's why they point out they can't promise a contact.
>It is unlikely that there is a company in the US that has a security team that hasn't heard of H1.
You'd be surprised. HackerOne is relatively new, just several years old. Does everyone know OWASP, almost certainly yes. Does everyone know the BSide community? No.
Anyway, H1 can act as a shield, in this case. On the other hand, companies like WhiteHat or Rapid7 are probably more well-known since they will probably spam your security team on a regular basis trying to sell their products.
I think the disclosure assistance is a pretty clever idea for generating new sales leads, since by definition they will be talking to companies with an actual zero day situation.
I would be more supportive if HackerOne just gave me a form so I can do this myself. I do not need HackerOne to take credit for my work and and do not need them to represent me. I'm a big boy and can follow my own ethics and take my own consequences.
If other people feel the same way, I'll fork and make a repo. EFF is a great starting point but it is not nearly usable as a HOWTO.
That's some startup that's trying to become an intermediary for bug bounty programs. They're in a WeWork shared space at WeWork Transbay on Mission in SF.
Unless they're hosting a bug bounty program for the vendor involved, they don't add any value.
They're the largest and most important bug bounty service, and have been for years.
WeWork leases offices; they have a shared workspace area in all the buildings, but most of their buildings are private offices.
Apart from the fact that there's a good chance the company you're trying to report to already has an H1 program running, what they're promising to do here is to spend some effort trying to track down security contacts for you. They profit from this, of course: if you give them a good bug, and they facilitate its reporting, the target company is very likely to sign up for H1. But it costs you nothing and might solve a problem for you.
(I'm ambivalent about H1 --- we run a couple H1 bounty programs that existed prior to us taking over security at our clients --- but I don't think it's a good idea to be dismissive of them.)
Personally I think this is a function the the FBI should fill. However, there is a risk they would sit on zero days and weaponize them (or give them to another three letter agency).
I wonder if an org like the EFF could add this to their scope.
Someone in another forum commented recently that there should be a new top-line federal agency whose mission is to promote the security of America's information infrastructure. They suggested it should be established as an adversarial check/balance against e.g., the CIA and NSA.
Maybe if they were required by statute to accept anonymous submissions and make FOIA-style responsible disclosures after a reasonably short period of time, they wouldn't end up colluding right away.
The already exists an agency with this mission: the NSA. The problem is that they have two often-conflicting mission statements, WTH the other being to spy on foreign adversaries. Really what this would entail is splitting the NSA into two bureaucracies, with the information-security one then being able to wholeheartedly pursue vulnerabilities that affect American infrastructure.
The offensive organization wold probably then still sit on vulnerabilities only it knew about, but at least this would be better than the current situation.
"The already exists an agency with this mission: the NSA."
It's a myth far as I know. I've studied them a long time seeing much conflicting info about this. A declassified, historical document I found at one point about them said their job was SIGINT and COMSEC (just communications security!) for U.S. government. A later provision extended this to protecting COMSEC of defense contractors. The IAD seems to have policy-driven stuff about helping protect INFOSEC in general. There could've been a COTS mandate of some sort at some point but it was clearly toothless.
The NSA is mandated to protect communication security of defense sector. That's it. Even then, the defense sector keeps asking them to downgrade the security to let in more quick-moving products from commercial sector that are hacker fodder. They've since started on a program that lets them in after a 90-day evaluation against the lowest standards from Common Criteria. The NSA is the last group that should be responsible for INFOSEC given all this w/ market an utter failure, too.
The groups that have done the most are probably NSF and DARPA for funding strong security with NIST and DISA (esp STIGS) at least trying to do something with hardening guides and crypto recommendations. I prefer reputation-driven nonprofits that are funded with combo of donations, licensing of quality software, and consulting fees. They can't get acquired or be destroyed by changes in government policy.
Whatever we might think about this idea, neither FBI nor NIST has the staffing to handle vulnerability reports. I've heard good things about reporting incidents to FBI, but there's pretty much no chance FBI (or NIST) is going to help you coordinate disclosure. FBI works cases. NIST is, for security stuff, something like 10 people.
That may be the charter of the the organization. But the individual people running the FBI goals are to 1) be reappointed / not get fired 2) continually expand their budget / power. Given US politics 1&2 are not always congruent esp in short term with "protecting americans".
While it may be true that in this particular instance the FBI might act benevolently, the idea was that it would be nice if there was an organization you could go to with any zero day bug. Even if the FBI is not mismanaged and always tries to protect Americans, you could easily imagine a scenario where someone reports an exploit to an OS where anyone can remotely install a key logger. The FBI wouldn't be a good organization to report this to because they may want to use this to track down criminals which, they would no doubt feel, would greatly outweigh the cost to Americans that the zero day represents.
The EFF seems like a good choice. In general you would need to pick an organization that does not have a vested interest in using exploits.
> While it may be true that in this particular instance the FBI might act benevolently
Indeed. Didn't the FBI effectively purchase a zero day to break into the iPhone of the San Bernardino shooter? Didn't they also then not disclose said zero day to Apple?
There's no way that any LE agency can be trusted with this responsibility; I'm not convinced that it can be done by the federal government at all. EFF seems like a reasonable choice, but even non-profits have the potential to be corrupted/subverted (and operating as a dump for zero days has the power to corrupt, for sure, regardless of how moral your organization claims to be on its website).
This definitely falls under the umbrella of hard-problems-in-politics-that-will-not-be-solved-any-time-soon
What makes you say that? Plenty of evidence points to upper management at the FBI and other 3 letter agencies being more interested in power brokering than honesty and serving the public.
How about the National Institute of Standards and Technology? My impression is that they are less interested in offense compared to the NSA, and more serious than possible private entities like PCI.
> The National Security Agency is now able to share raw surveillance data with all 16 of the United States government's intelligence groups, including the Central Intelligence Agency, Federal Bureau of Investigation, Department of Homeland Security and Drug Enforcement Administration.
In this case, the researcher cared because they wanted the bug fixed. Posting the vulnerability publicly risks having it be exploited maliciously, but it also maximizes the likelihood that the bug will actually get fixed, because it's hard to ignore a public vulnerability in your service.
If you don't care about your reputation, you post anonymously. An anonymous full disclosure post is a good way to report a bug without dealing with drama about your "incentives".
I sat on this disclosure for ten years because family told me FBI would go after me. Good advice or bad advice, that was ten years of my life that could have been better spent.
One time I found a photo printing website made all photos public. They refused to fix, I fully disclosed, it made front page Slashdot. Then the company had to change its name. Maybe it was fun or maybe I get credit but most importantly it gets something from my TODO list to my DONE list. This is very important to me.
I have a 0-day on Apple, not very exciting. I reported in 2015 and they still did not fix. Having this in my inbox is a waste of my time thinking about it. I will FD it.
My experience is that security researchers do not make money unless you run script kiddy programs for stupid bounty programs. When I interviewed for a "security" job all they would ask me about is Microsoft certifications and user access testing. I asked if a TLA offer letter counted as sufficient reference and he said no. At that point I immediately switched from MS CS into MS Finance and MBA and my life has improved (while still being technically challenging and academic.)
So technically my disclosure policy is IJDGAF with two extra weeks as a gentleman's favor. Maybe I'm the bad guy, but that's why I'm here for the lovely discussion on YC. Thanks for sharing.
You have never heard me say IDGAF is an unethical policy. If you've paid attention to me here (I don't know why you would), all you've seen me do is point out how Orwellian and coercive the term "responsible disclosure" is.
For a CSRF that you didn't use someone else's account to exploit and that you've told nobody about, and assuming you have no acquaintances who might screw you over by abusing the bug, 30 days and then Pastebin seems like a decent answer.
If any of your friends are shady, just forget about the bug.
The more unpatched vulnerabilities there are in existence, the more lucrative it is to be involved in any part of the computing crimes community.
It's like reglazing a broken window in your neighbor's garage at your own expense, because you don't want burglars to see it and start casing other properties in the same neighborhood based on the conditional probability that a visible broken window indicates a higher incidence of other exploitable vulnerabilities.
It's also important to pursue the very easily exploited vulnerabilities, because when you get rid of all the low-hanging fruit, the people who can't already climb the tree won't survive long enough to learn how. You're cutting a lot of bootstraps so that immature criminals can't pull themselves up by them.
This is correct, and the morally sound right thing to do if you're interested in cutting down on cyber-crime, but it unfortunately falls under the incorporeal "good-boy points."
Perhaps there's a breakdown of definitions here. I've lumped bug-bounty hunters and grey hat hackers, along with actual researchers, under "researchers." Stop me now if this isn't who you're referring to.
Now if it is, this route of action goes against the reseachers' monetary incentives. It is in their wallets' interests to have criminals validating the existence of their work. As well as selling the direct findings of one's research, including even minor exploitabilities, which is a given.
If researchers were to constantly give away their work (on even little issues) it would directly lower the cumulative value of cuber-security research, i.e their more expensive projects now sell for less.
The FBI / NCFTA invited me to speak about this vuln because it may have affected many banks at the time. (Please stop laughing.)
They called me to cancel. "Now we're all focused on this big DOS. Do you know anything about DOS that's happening today you can help us with?" I asked if the DOS is affecting the stability of the system or actually breaking anything. And they said yes it is bringing the banks down and affecting revenue.
New York City based their increased focus on petty crimes on it. I don't think it is useful as the basis for a model of policing, though.
In some ways, it is an embodiment of the slippery slope fallacy, where if security is not perfect, it's worthless, in the same sense that a roof with one leak in it is worthless, because that one leak becomes the beachhead for further damage to the roof.
Ahh! I just realized, I read about the New York broken windows situation in Malcolm Gladwell's excellent book (in my layman opinion) The Tipping Point.
From the original article in 1982:
Consider a building with a few broken windows. If the windows are not repaired, the tendency is for vandals to break a few more windows. Eventually, they may even break into the building, and if it's unoccupied, perhaps become squatters or light fires inside.
Or consider a pavement. Some litter accumulates. Soon, more litter accumulates. Eventually, people even start leaving bags of refuse from take-out restaurants there or even break into cars.
Broken Windows, The Atlantic Monthly, March 1982
--
The way I would put it, based on my visits to my home town of Zagreb, Croatia:
Because if the vulnerability turns into a problem down the line and ends up in court, the record of the payment could come out during discovery, which could be made to look bad for the defendant firm.
Have you heard of Elizabeth Kubler-Ross's '5 stages of grief' model that summarizes people's typical responses to bereavement? EKR argued that people generally go through a cycle of denial, anger, bargaining, depression and acceptance. IME this is a good rule of thumb for how people typically handle any kind of unwelcome news.
In this case:
o There is no such problem
o Grr why did you hack us I'll call the police
o How about you take this pittance and STFU
o We're just trying to run a business and you ruined everything
o OK we'll fix it and alert our customers
Vulnerabilities like these aren't likely to cost anything close to $10K, even if they stay open for years.
But stipulate that there's some number here, and the answer is: because nobody in management at Zecco ever built a plan for how to handle incoming vulnerability reports, and so nobody who got the report was empowered to do anything but escalate the issue --- and halfheartedly, at that, because nobody in management at Zecco ever build a policy that ensures anyone cares about vulnerabilities, so this is for them the moral equivalent of a WONTFIX.
The person I was in contact with was the CTO Michael Raneri and the General Council. And the CTO was promoted to CEO while the bug was still broken. And then he cashed out and sold the company.
What do you want me to tell you? I agree with you: they don't care. It didn't appear to matter for their outcome. They WONTFIXed a CSRF. Are you shocked?
On my phone call it was very awkward because I am spending lots of time helping them, sending multiple PoCs. But I think it improper to ask for money. Maybe if would count as blackmail. So I didn't. Also their ONLY goal, as per article, was to make me STFU. So this is why talks quickly got boring.
Spending money is part of the point, since that's the way one gains power in large organizations. Even better if one can spend lots of money doing something self-evidently stupid and also rather mean.
Large firms wouldn't survive at high enough rates to dominate public life as they do, if they weren't underwritten by the state at every turn.
I was thinking of exactly this as I read the article.
In a situation like this I'd probably directly ping taviso or someone else from the Google Project Zero team. Their contact information (email, G+, twitter (DM)) is not impossible to get at.
From there, I could get advice about next steps (the Project Zero team are going to know a few people) or maybe they could run with it themselves (depending on the bug; I don't know what the response would have been in this case).
Thank you, going forward this looks like a great start. And I have always had great experience reaching directly to Googlers when needing connections or technical advice.
> I have always had great experience reaching directly to Googlers when needing connections or technical advice.
Mind sharing how you've achieved this? I haven't had the same level of success, with my couple of attempts (thus far) to try to resolve various issues falling flat.
Both of these organizations might be "helpful" if you have a new Internet Explorer vulnerability, but neither will likely help you with a CSRF bug in a bank website.
What, more government spending and taxes and regulation? That's anti-American! Are you a traitor? Get the government out of our lives! Let the free market fix this. If you don't like it, just don't buy it. We don't need more acronyms! Just a bunch of bureaucrats! Drop more bombs!
Come up with a good set of guiding principles for members. This would help avoid waiting 7 years and then sticking it online. Not criticising, I'm saying the situation here is pretty screwed up.
Members pay dues, the association provides backing. Company threatens to call the FBI and the association is the one they can deal with.
An organized group can help to provide the needed political pressure so that a properly disclosed vulnerability doesn't ever lead to the FBI and trumped up charges.
A respected group can lend credibility to a researcher. A bank may not give 2 shits about even a well respected member of the community. They will care if it's a group well known for finding and disclosing vulnerabilities.
This seems like an easier problem than the general case of software engineers because the community is smaller and you don't have the conflicting interests of "I can negotiate better on my own". Plus things like membership can be handled more easily, start with a small group of people who absolutely should be members. Extend via application and invite.
Thank you. This seems like a great idea. I would be more open about it. Rather than fees and membership, I would have a list of contributors and cross-checked publications. Basically like a resume. I.e. if you want to announce a vuln we would help you timestamp it, and optionally have a person you trust vouch for its authenticity. And if having that timestamp and cross check is valuable to you then you can brag about it when you contact the vendor.
I'd like to work in an organization like this. I'm not sure if anyone would want to join. It seems like everyone else is either completely independent like my own IDJGAF strategy or they are full corporate like HackerOne and other brokers.
On a similar, but separate note, my bank launched a new version of its online banking platform. From launch I noticed it opened my accounts in a new tab while leaving my credentials (password and all) in the sign-in form. Not so bad when signing in from home - horrific if you're signing in from a public computer. I tweeted to the bank and spoke to someone on the phone about it. It's been 3 months and the bug is still there.
[EDIT]
I decided to log in today just to see if it's still there (was a couple days ago), and it's finally been patched. If I had used a throwaway I would gladly let you guys know the bank, but I won't since it's trivial to find out who I am from my handle.
So far, I count three separate replies to this article along the lines of "I also found my bank doing so-and-so thing insecurely, but LA LA I'm not going to tell you which bank it is!" These kinds of comments don't help anyone--you might as well not post them.
Who just has an attorney sitting around who is competent to handle such things? I wouldn't know who the fuck to call if I found something on my bank's website.
This deserves more than an upvote. This is exactly the right attitude. It puts the incentives in the right place and will let the market do what she does best: work.
Hm, I recall the Comodo hack. I think it Comodo was hacked twice or more times that year. It won many rewards and continued leading the CA space. The market did not work apparently...
The security market is working exactly as it was designed and evolved to. Far as when high-assurance started, the Black Forrest Group of execs of big companies convening on INFOSEC told one of INFOSEC founders they thought companies would refuse to sell them highly-assured software. The reason was they suspected they intended to make extra profit two ways: cutting QA for immediate profit; selling the fixes for later profit. This proved true with lock-in strategy combining for what was essentially checkmate to lots of companies.
The other end are buyers. Most of them don't know what to expect for security or how to evaluate it. Most attempts to solve this failed. They've been conditioned to expect constant hacks, crashes, or data loss. So, they see Comodo etc get hacked and shrug. They'll usually stay if their end of whatever they bought works. The sector that will pay for highly reliable or secure software is probably under 1% of the market or projects. It's enough companies keep forming to do real thing but tiny, tiny few struggling to justify the extra costs or less features necessary for higher security.
Just curious, what would the legal implications of something like that be? It seems like you're still benefitting from criminal activity that you enable, but what would the specific charge (if any) be? And any examples where people have tried this?
Although I guess it could help align customer and business goals, since no one wants to lose money
Not at all. You're making bets based on public information only you have realized is meaningful before informing the rest of the public to make money off that discovery. Quite a few folks make a lot of money this way and (nearly) everyone benefits: https://www.bloomberg.com/news/articles/2015-03-04/how-a-25-...
Nothing can protect you from the lawsuit being brought, but it will likely be thrown out. That's the same with anything, and whether you short a stock or not.
If you short it, at least you might make some money to offset any pending lawsuit. There's plenty of examples of people doing the same thing to fall back on, such as the guy who found out a newly listed company wasn't actually real[1].
IANAL but there is no risk that you may have to defend that proposition in court as long as you don't actually exploit the vulnerability and simply point it out.
It's public information.
Now if someone who works at the bank had told you about it, you'd be in a lot of trouble.
IANAL either but my understanding is that you can be prosecuted under U.S. law for poking around on servers in any unconventional way. The text of the CFAA forbids "unauthorized access" or "exceeding authorized access".
I'll admit that viewing the source code and noticing this link would be a stretch, but I wouldn't necessarily expect it to be a slam dunk for the researcher, especially if he had assented to the site's ToS (and since he had an account, it seems that he had).
At this point, I imagine he could be in all sorts of (primarily civil) trouble for the disclosure that he just made. He may be protected under some type of financial whistleblower law, but I wouldn't hold my breath.
"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."
BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.
This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:
1. conspiracy to access a computer without authorization
2. fraud in connection with personal information
This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.
Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.
According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).
I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.
Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.
Would this really be considered public information, since the existence of that vulnerability it's not known to the public or literally anyone else until you publish that blog post?
I agree that making bets by noticing public information earlier is 100% okay (and in the case of Lumber Liquidators, a better outcome for almost everyone).
But would this case with the bank be different because the vulnerability, unlike formaledehyde, could be actively exploited? Encouraging a stock price to fall because of bad practices seems alright (like the LUmber Liquidators example), but if in the process you become an accessory to smaller-scale fraud against individual account owners, is it still "alright"?
There are law firms working with hedge funds that specialize in doing exactly this when they are about to file a class-action suit. It's possible to be criminally charged if you know that the information you are spreading is false. But other than that limited circumstance, you are free to trade on any information you have about a company that you did not illegally obtain from an insider. Even in the case that the information was obtained from an insider, to convict you, the government must be able to prove that you knew that the insider both a) received a benefit (usually money) in exchange for the information, and b) breached their fiduciary duty by disclosing the information.
That said, technical glitches tend to not affect the fortunes of companies nearly as much as we (the HN crowd) think. Tradeking had the glaring vulnerability outlined in this article for years, and they are doing just fine.
Great point, I think the tech crowd may overestimate the cost of glitches, relative to everything else at play in a business.
I think the point I'm getting hung up on is that the bank's stock price could drop for two reasons: bad PR due to the glitch, and/or falling financials due to fraud perpetrated as part of the glitch. I can completely understand a hedge fund trading and making money off the bad PR. But if (hypothetically) the bank lost a ton of money by hackers liquidating user accounts or, worse, making leveraged bets [before everyone checked for that sort of thing ;)], and the hedge fund knew there was a reasonable chance that the malicious activity would occur based on the newly disclosed information, would they have liability there? (from the theft/fraud perpetrated against the bank, not the drop in stock price)
I believe that responsible disclosure is a courtesy to the vendor and its customers. Afaik, there is nothing in the law that requires it. Exploiting vulnerabilities like the one you are discussing here yourself certainly would be illegal, and you could possibly be implicated in a conspiracy if you disclosed the vulnerability solely to one person or group that you knew would exploit it (so "I told my Russian hacker friend about this..let's short the stock before he nails them with it!" would probably be a conspiracy case, whereas a press release or HN posting would not be).
But general public disclosure of a vulnerability, and/or trading on the anticipated effects of public disclosure, is not illegal. It likely won't win you friends in the IT community, but it falls short of an indictable offense.
Martin Shkreli claims to have made a lot of money by shorting pharma companies ahead of their FDA results - he would read their studies and make reasonably accurate predictions as to the outcome.
Shkrelli has shuttered two hedge funds (Elea Capital Management & MSMB Capital Management) when he was unable to cover shorts and put options when the stock price moved away from him. He is also currently awaiting trial for securities fraud. So I would take his comments with a grain of salt.
This is why I said "claims". He no doubt failed at some of his shorts. On a livestream he said he made all the money he still has on his companies, not trading. The strategy is still relevant to the discussion, though.
Great link, thanks for sharing. The quote that stood out to me was “My issue was that patient safety wasn’t front and center.”
I don't have a problem with MedSec making money by shorting St. Jude's stock (that seems to align incentives to take care of security issues as early as possible). But if MedSec publicly disclosed specific, exploitable vulnerabilities (I'm not sure about specifics from the article), they shouldn't be able to hide behind the "doing what is best for the consumer" argument. It's definitely a clever business hack, and that's alright, but the fake sense of moral superiority isn't.
Alternatively, publish it in an obscure place online, get proof you published it in archived medium (eg Gmail or Archive.org), short the stock based on that now-public information, and then reveal it again in a way that will get stock-smashing attention. That's my hypothetical model I came up with when trying to figure out how to incentivize apathetic, but public companies, to care about security a bit. You can even follow up offering them security consulting but don't expect a yes haha.
I don't think it's HSBC, but they do similarly horrific stuff. Almost all banks have a truly terrible online service.
I'm a happy user of N26. I very, very highly recommend it to all european customers. I'm never dealing with shitty bank service again. https://n26.com/ (Email me if you want a referral invite).
People often confuse lack of published security issues with the existence of strong security. It was the rally cry all along of techies opposing Apple's security-based advertisements.
I use HSBC for personal and business, can confirm personal is bad but HSBCnet (business) is the worst software application I've ever used, period. http://john.je/k7X2
Wells Fargo and Schwab seem ok in my experience. Wells Fargo even updated their site with slick new UI and menu options are actually findable. Amazing!
Just today...? Chase Bank has been case-insensitive for several years now. I even contacted them about it when I found out and they outright told me they had no plans to fix it.
It's 2017, and I still have online financial accounts that are "secured" by short numeric PIN, so count yourself lucky that you can at least use some letters in your password.
C-mp-t-rsh-r-: your website's trash and you should be embarrassed with yourselves.
So I know this also :) I am a techie that made a bit of money and it was kept at Schwab. I made a big enough issues of it that they arranged a call with their security team. The call was good and they explained the reason why (legacy system) and their plans to update / fix it. They also address my questions about password storage (hashing/salt) - they did it correctly. They showed a great deal of knowledge and competence in their job, such that I was willing to leave my money. I applaud their willingness to have the call. My dealings with them have always been pleasant.
Wells Fargo seems ok in your experience??!! Is that a joke?
Your account is wide open to any of thousands of employees who conspire against you. You're ok with that?
It's people like you who keep companies like that in business and encourage such atrocious activity.
Right, most public computers I've seen would be trivial to bug with a key logger. Though with 2fa, I suppose it wouldn't be quite as bad (but then again, those using public computers might not be using 2fa).
There's plenty of laggards who don't have home internet and only browse through e.g. a library computer. Some of them are probably doing banking too, given the recent trend of preferring online transactions
For anyone being as confused as me in the timeline bit: The author is called Will(iam) Entriken. So "Will" and "Entriken" is the same as "I" and passive voice.
Kudos to the author, and hopefully they don't get sued as a result. This bullshit with corporations trying to cover up security vulnerabilities (rather than fix them) needs to stop.
"Sign this NDA or we will send the FBI to arrest you because you found that our banking website's security was completely fucking broken and told us about it." Jesus fucking christ.
No one should independently contact a company about this type of issue without first obtaining competent legal advice. And I do mean competent advice; most lawyers are very technically illiterate and will not be sympathetic, let alone familiar with the relevant areas of law.
The researcher is lucky that TradeKing believed their NDA trick was sufficient. Even if the case here is weak, and I wouldn't necessarily assume it is, it would still seriously damage the researcher's life.
Here's how it goes when you get sued by a big company. Their lawyers essentially have a heyday doing everything possible to obstruct and delay the process so that they can maximize their time on the corporate teat. It will go on for years; they won't mind because it's business as usual for them, and they're getting paid big bucks to torment you. Your life will be ruined: assets seized pre-emptively, reputation and credit destroyed, inordinate quantities of time consumed by legal research and tedious paperwork, struggling (if not immediately blatantly failing) to keep your incompetent counsel paid at $250/hr and meet the retainer, and eventually failing to file some document or pay some fee that will cause the court to enter a default judgment against you and permanently confiscate everything you own, leaving you with the albatross of a massive outstanding judgment waiting to be enforced, bank accounts garnished any time you get any money, etc. And that's the short version!
And then guess what -- if, by some miracle, you don't lose in the first round, this whole process will repeat as they file appeal after appeal. Hunker down because the proceedings will last at least 5 years.
The corporate lawyers will be able to justify all of it to their clients without blinking an eye, who probably forgot that they even asked them to sue you. Everyone at the company and the law firm will go home and sleep soundly on their piles of money, and you'll have learnt your lesson that trying to stop the subterfuge of an online trading platform is a terrible offense.
My father is a (technically literate, he used to be a database architect) lawyer, and the general advice he gave me was that if you are in a situation where you have a critical vulnerability you should disclose it through a lawyer anonymously -- your identity is then protected under attorney-client privilege (assuming you haven't just asked your lawyer to commit a crime by disclosing it).
Interesting idea. Thank you for sharing. Is the goal just anonymity? Technically we already have solutions for anonymous disclosure of documents. Are there other benefits?
A technical solution to the anonymity problem would probably work just as well (assuming it wasn't backdoored), though the protections against a lawyer disclosing their client is legal rather than technical (so the "splatter" from a company's over-reaction are more likely to be smaller). You also get the additional benefit of the company probably taking a disclosure more seriously if it comes with a law firm's letterhead (unfortunately).
Here's what really happened. I talked with my doctors and realized that I only have so much time left to live. Writing this article was of the items about putting my affairs in order. So short term this was a good decision.
Otherwise, in court I'll be happy to defend myself. If it is necessary to spend time to defend yourself then that is a blessing. I have successfully sued the government (the US Army and Veterans affairs, no less) http://www.gao.gov/docket/B-413723.2 when they do things wrong. Just be persistent and be right. Then we came out with a nice settlement. Sorry GAO used to publish fulltext docket outcomes but I don't see it here.
Fuck Nissan. (Can we curse here on HN?) Because their cars suck and because of this case that I am well aware of. The sad thing is that Mr. Nissan spent so much money in defense. I should hope that he would be able to be more effective with less money.
How much should one spend to report this? Even the first consultation with that type of lawyer would be a few hundred $. If the threat is that real, why not just close the account and go somewhere else.
Yeah, the incentives are perverse. This is more of a symptom of the function of our legal apparatus than the law itself, because in theory, going through the legal process should be quick and if not affordable, at least reasonably doable for the individual or small business.
Companies that run formal bug bounty programs (either directly or through a third party like HackerOne) show some recognition of this and some goodwill, especially those that include payouts of five figures or more, but those companies have to be careful that they don't accidentally create an environment where bidding wars between exploiters and companies are legitimized.
Why not? Yes prices can become high, but isn't that the work of the researcher? If the company doesn't want to have to purchase expensive bounties, they can either reduce the exposure (less legacy code, fewer APIs, more firewalls) or use more strict security rules.
I'd feel safer if LastPass' bounty was higher than the value of the assets I put in that vault. If the value of a single vault (mine, actually) is $10,000 and the bug bounty is $2500 (which it is), how can we persuade discoverers to sell to LastPass?
The NDA is not a valid contract because there is no consideration. For a contract to be valid each party has to gain something. This is why many contracts include a token consideration of $1. This one didn't, so it's invalid.
I definitely think you're correct. In the future you could probably save yourself the hassle of the "Are you a lawyer?" questions by dropping the phrase "almost certainly" right before "not a valid contract". Most attorneys I know are super reluctant to call a contract invalid without some sort of qualifying language.
This contract might actually be egregious enough to warrant an unqualified declaration of invalidity, in which case you should go the other direction and overstate your case with conclusory statement and some word like "clearly" or "patently". "This contract is patently invalid!" and then explain why.
Despite the fact that I'm not a lawyer, I happen to know quite a lot about contract law because I was once involved in a contract dispute. That provided quite a good education on this particular topic.
Consideration is a common law concept as far as I can tell. As someone unfamiliar with how it came to be: Why was consideration introduced? What's the rationale, the goal behind it?
A contract is what lets you sue someone over a private transaction. That's what it does, that's all it does. If for whatever reason you're not willing to bring a contract dispute to court, then your contract doesn't do anything and you wasted your time writing it. Contract = right to sue for breach of contract.
In order to sue someone, you need to be able to describe what damages have been done to you. The goal of a lawsuit is for the responsible party to 'make you whole,' i.e. pay you back an amount equal to the damages done to you.
In a contract dispute, the 'damages' of breaking the contract is equal to the 'consideration' of fulfilling the contract. In other words, the promised consideration is the actual thing that you can sue over.
If there is no consideration, then there are no potential damages, and there is no potential lawsuit. And since the only point of a contract is to enable a lawsuit, a contract that doesn't do that isn't a contract.
"the 'damages' of breaking the contract is equal to the 'consideration' of fulfilling the contract"
This is categorically incorrect.
Damages for breach of contract are supposed to put you back in the position you'd have been in had the contract been performed. It's not related to the value of the consideration.
Consideration is one of the things needed to make a contract binding in English law (along with offer & acceptance, and "intention to create legal relations").
Jurists still debate the rationale for consideration, but the best answer I've found is that contract in English law is seen as an exchange or a “bargain”. There is no gratuitous contract, donations are not contractual right.
By comparison, a contract under French law is based on "consent of the parties" and the theory of individual autonomy. There's no requirement for consideration.
In a "mutual NDA", consideration is easy to find; each party agrees not to disclose confidential information disclosed by the counterparty.
Another way to make an agreement binding without consideration is to sign it as a deed.
> In a "mutual NDA", consideration is easy to find; each party agrees not to disclose confidential information disclosed by the counterparty.
I don't think mutual NDAs are typical. Typically, you sign an NDA prior to receiving information. So the consideration for signing the NDA is receiving the information that you agreed to not disclose. If you already have that information, then that's no longer valid consideration.
In this case, the reporter already knew the security vulnerability, so that knowledge could not be considered consideration. The bank would have needed to offer something else.
It's what distinguishes a contract from a promise.
If I say, "I'm going to give you some apples in six months, after the harvest" and then there's a blight and I don't actually end up with any apples, society (at least in America) decided that I should be able to just say, "Oops, sorry, I'm not going to be able to give you those apples after all" and be done with it.
On the other hand, if I say, "I am going to sell you some apples in six months, in return for $100", American society collectively decided that I'm on the hook to get you those apples, regardless of whatever difficulties should ensue.
I believe the idea is nobody would willingly sign a contract that does nothing to benefit themselves so they must have been mislead into the agreement thus it is invalid. Sort of a rational actor theory of law.
Typically yes, access to the information is the proper consideration for agreeing not to further disclose the information. But as lisper says [0], that will also typically be spelled out in the contract.
If a contract doesn't outline consideration, and the jurisdiction requires consideration, then the lawyer writing the contract was not very good at their job...
Possibly. But the contract doesn't say so. This is exactly why the consideration has to be explicit, so the judge adjudicating disputes doesn't have to guess about such things.
Because it’s much easier for the court to reach a judgement about a contract if both parties are clear about what they were expecting to gain from it.
Also, you have to ask why someone chose to sign a one-sided contract. Was it signed under duress? The court shouldn’t enforce that. Was it a gift? The court would rather not get involved with enforcing every casual promise!
This was a test for understanding that a person not familiar with a particular field (e.g. GP and common law) will not be easily able to find a source on a particular aspect of that field and at the same time verify the information are more-less complete. Therefore, it's much easier for someone familiar with the field to provide a link to appropriate source.
I thought it was significant that they were able to distinguish it as a common-law concept. Are you implying this was something like a lucky guess on their part?
I agree. There's plenty of "Tester agrees"/"Tester shall (not)", but the document provides nothing of value/benefit in return.
Worth noting that just because it doesn't stand up as a contract doesn't necessarily mean a claim can't be made under breach of confidence (I doubt it would be applicable here, but just pointing out that contracts aren't the only form of legal protection provided to confidential information).
It's not about the dollar value, it's about having a contract. In a contract, the parties usually agree to do something in return for something else. This NDA is completely one-sided. The author gains nothing. So basically it is a gift, and not a contract. And in many legal systems, it is easier to take back a gift than to undo a contract.
I thought continued employment was the textbook example of not being consideration which is why a company can't say they fired you with cause for not signing an NDA that was presented to you after you had already been working there
Edit:googled some more and it appears that continued employment as sufficient consideration is different on a state by state basis and isn't firmly set in stone yet
It is, especially (but not necessarily) if the person promising not to sue has a valid claim. This is covered in any contract law textbook, but it's an old common law principle so there are plenty of free online sources, too. For example, in the US, see Bennett, 'Forbearance to Sue' (1898) 10(2) Harvard Law Review 113–118 [1]; in the UK, see Kelly, 'Forbearance to Sue and Forbearance to Defend' (1964) 27(5) Modern Law Review 540–545 [2].
I wouldn't be so sure - for example, out of court settlements pretty much amount to "We'll pay you $x without admitting that we ever did something wrong, and you agree not to sue us over that thing that we totally did not do.", and these definitely are valid contracts.
Obtaining an opposing party's waiver of their right to pursue legal remedies is not the same thing as obtaining non-binding indication that they may not pursue you legally.
In the first case you have extinguished a right that could be used against you. In the second case you have obtained nothing more than the illusion of safety.
Not suing in that case is the terms of the contract. The consideration is $x for party A and for party B it's not having to admit wrongdoing. Had the NDA in question given William $x to not disclose the security hole then he would certainly would be in breach of contract. But the NDA gave him nothing.
When they were drafting the "contract", the concept of consideration was very interesting. I had considered that if I would receive cash for agreeing to not disclose then this would be blackmail which apparently is bad.
Consideration is a necessary but not sufficient condition to have a valid contract. There are a lot of other requirements as well. This is why it is best to have a lawyer review any contract you sign, especially when the stakes are high.
My reading is that he signed it because he was falsely made to believe he may have done something illegal and this would protect him from the FBI. I.e. he was coerced.
Assume the expertise. A whole semester of university dedicated to contract law: Consumer contracts and B2B contracts in the national law, then the specifics when dealing with a party in another European country and internationally.
You'll see what a contract needs to be valid during these courses. There is simply nothing about both parties requiring to gain something.
"the best schools are free where I come from" generally implies living in one of civil law jurisdictions, where many legal principles are quite opposite from USA.
A good bunch of things taught in a contract law class are subtly wrong even for a very similar neighbouring country (in EU it's now getting a bit better because of harmonization efforts) but common vs civil law changes pretty much everything.
And a semester in contract law is not really much expertise - any MBA with a semester in USA contract law would have much more relevant expertise than us Europeans talking.
You think you are qualified to determine ANYTHING about US contract law when you've taken a single semester in contract law related to an entirely different country?
By your logic I am basically a Astronomer. Except mine is more relevant since astronomy is the same regardless of where you take a "whole semester" of it.
We certainly don't have all the facts surrounding this case, but we definitely have enough to move forward under the assumption that this would be resolved with American and probably Californian law. I'll leave you to research whether California requires consideration for valid contract.
I have no idea since I haven't reviewed the contract. But consideration can be more than just cash money. In some areas and circumstance continued employment can be enough consideration. Or getting access to more information might be enough.
We definitely don't have all the facts and learning new facts could definitely change the direction of the conversation. I hope that we all understand that this arm-chair lawyering is, at its core, a hypothetical exercise.
But even if we are allowed to infer consideration, and I agree with you that we are, this contract isn't simply lacking the terms of consideration. It doesn't appear to contemplate consideration at all, which in my experience, is unheard of for these types of agreements.
Normally, you'd be allowed to look at the entire circumstance to determine consideration if it was unstated. however, this contract contains some pretty strong clauses about the document being the entire terms of the contract. So maybe that would be enough to invalid it.
But that would depend on the specific jurisdictions case law on contracts and then how the judges reading the contract.
If this were my client and he got some kind of consideration, I'd tell him to treat it like a valid contract. Though I'd trying to poke holes in it during litigation. But litigation is losing 9 out of 10 times, even if you win.
Well, the contract has been published, we could get more facts. (except it's midnight now and I'm not gonna read it carefully now)
Without going into the extreme details of this case. Being "considerate" in legal jargon is much more subtle than "both parties have to gain something" in engineering talk. Determining the consideration can be as hard as a NP problem, to speak in engineer :D
Back to my original point: Let's not talk people into signing perfectly valid contracts, hoping for a loophole because it didn't look nice enough to them!
This is actually pretty close to how I personally define a "professional": A professional is someone whose work can only be judged by other professionals of the same domain.
Obvious failure modes are exempted. Anyone can tell you about a bad bridge after it has failed. But it would take a bridge engineer to tell you that before it fails.
Your definition would include tradesmen and craftworkers, then, who are not strictly professionals. Anyone can work in wood long enough to say "That wooden bridge looks like it'll hold X people," and not have any way of conveying how they came to that conclusion, because they didn't learn via a means of studying a specific body of work that can be measured and accredited. Without this distinction, many professions would not exist.
> Your definition would include tradesmen and craftworkers, then, who are not strictly professionals.
According to what definition?
> Anyone can work in wood long enough to say "That wooden bridge looks like it'll hold X people,"...
I severely doubt that, given the complexity of trussed bridge designs [0]. There's a lot more to it than how much weight a 4-by-4 can support.
> ... and not have any way of conveying how they came to that conclusion...
If you can't transfer knowledge in a way that other people can independently verify, you're working in magic. If such a transfer is possible, but simply not possible for a particular person because they lack the tools, then that's a professional failing. For some reason, this state seems acceptable to you when we're talking about physics and complex loads. But could you imagine a doctor describing the appendix as "that thing sticking out where the long thin squiggly bit meets the short thick squiggly bit"?
> Also, your definition includes itself as part of its own definition, which is a circular definition fallacy.
You can't just throw out "circular definition is fallacy" and dismiss the idea. That itself is a fallacy -- "argument from fallacy". [1]
Yes, I use the word "professional" twice, but that's not necessarily a circular definition and especially not necessarily a fallacy. First, the two "professionals" are not the same person. The first mention of "professional" is an individual, while the second mention is a group. What I did is tie membership of a group to a conditional ability which is dependent on the group itself.
However, I did cheat a little bit. Because what I did not define is the individual ability necessary to meet that conditional. Because, of course, that changes depending on what group of professionals we are discussing.
For backup, let's look at a definition of malpractice [2]:
> a dereliction of professional duty or a failure to exercise an ordinary degree of professional skill or learning by one (as a physician) rendering professional services which results in injury, loss, or damage
In other words, malpractice is a professional doing something which such a professional should not do... Because the mere fact of a person being a professional implies that they should know better.
It's this same logic that I am using: A professional is someone who acts in a professional capacity, and understands the practices of such profession, and thereby is capable of judging whether another person understands and acts in a professional capacity.
Lawyers tend not to tell they are on internet because of potential liability. Thus when you read IANAL odds are goods that the writer known about the subject but don't want to be liable in any way so he just protect itself.
PS: and if you want an advice by a lawyer that accept liabilities for its counsel just pay for it, because that is the only way you get it.
This is for cases where you want the credit but still want the protections afforded by being somewhat anonymous. Similar to WikiLeaks but more focused on allowing the company or entity to solve their problems and representing fairness on all sides.