So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought). This stuff is exactly why I would never dare disclose a vulnerability with my name attached.

You either get little reward or end up with a lawsuit.


@privateger Absolutely fair. If my situation were even slightly riskier (and I'm risk-insulated as hell right now), I don't know if I could justify doing any ethical disclosures - anonymous or not. The potential downside is just too fuckin' big.

Sign in to participate in the conversation

Taking the "Twitter" out of "InfoSec Twitter."