Re: Does anyone take this seriously?
Couldn't agree more.
I've properly disclosed bugs, vulnerabilities and exploits many times over my career (spanning 20 years) and in my experience, it is quite common for software developers to take it personally and completely lose their shit...it is also quite common for software developers (those with an MSc or a PhD from certain institutions) to look down and sneer then try and convince me that I must be mistaken because of "do you know who I am?".
I've had a few scuffles with the police and lawyers in my time over vulnerability disclosures. It never goes anywhere, but it is a massive waste of everybody's time...all of this is very UK centric though...I find if I disclose things to companies outside the UK, it is less hostile...the US for example, it is pretty common to be paid and asked to assist with the fix...usually in Blighty you're told to shut up, sign an NDA and fuck off.
My top 3 wankers of all time were Cambridge educated. Two MSc one PhD. The number 1 was the PhD guy who consistently denied the existence of a SQL injection bug...I was a lot younger at the time and he proceeded to call me a "little bastard", "unqualified shit" and a "disrespectful caddish bounder"...the last one had my in fits of laughter in a meeting...never before or since that meeting have I ever been called a "caddish bounder"...especially not in such a serious tone...this dude threatened to call the Police on a few occasions.
Anyway, my point is, too many overqualified people in the business take disclosures personally and they are very quick to dial shit up to 10 and invoke our shitty laws to keep the problem under wraps and never actually deal with it.
These days, if I find a bug, I just don't bother disclosing it to the lead engineers / devs...I disclose directly to the CEO (if it is even possible to contact them) and go through them...it attracts even more ire from the technical folks, but at least you have some level of confidence that you won't be shafted by an obnoxious over confident charlatan of a developer.
What would really go a long way, is developers not taking things personally...I don't know the timescales you were working to or the budget you had...I'm not there to make you look bad...I'm there to help...if you were fucking smart, you'd use a bug disclosure as evidence that cutting corners leads to problems and leverage the situation to change internal aspects of your development and testing process...that I can get onboard with...assuming that you are hot shit because of where you studied and the paperwork that you hold though and swinging your dick around...you will lose all respect immediately...especially if you are an older professional...because not all that long ago the curriculum at most universities for Comp Sci / Software Development was shit...so shit, that the vast majority of engineers / developers didn't bother going to university, because it would have been 5 years spent learning nothing useful which would put you at a 5 year disadvantage against other professionals...not to mention, you'd also be in debt...we're an industry full of pragmatists...it isn't often the case that people with fewer qualifications in our space are "talentless fuckwits", quite the contrary in fact...many people in this space have few to zero academic qualifications because any pragmatic thinker would weigh up the pros and the cons and make a decision accordingly...because this is an industry where your skills and abilities far outweigh the paperwork you can wave around...the paperwork can more often than not set you back in a big way...because the minute an actual engineer gets a whiff that you're trying to leverage a qualification without demonstrating anything, you are on his shit list...you get a lot further in this industry by simply demonstrating your skills...if you come to me and explain something without demonstrating it, I won't take a lot of notice (I would have about 20 years ago, because search engines and the like weren't a thing, so writing something up had some value)...but because Google / YouTube exists, a simple explanation will not suffice...if you come to me and confidently show me, I'll take notice and I'll take you seriously.
To give you some actual real world examples of why acadmics are generally shit...my nephew recently got his BSc (hons) in Computer Science (Network Engineering)...I'm proud of him, of course...but I did put him to the test...he came round after graduating and I gave him a length of CAT6, two RJ45s and a crimping kit and asked him to make me 1m patch lead...he could not do it...but he has been led to believe by his lecturers that he is ready for a management position in the tech industry...I am planning on throwing him in at the deep end at some point, to give him a nice dose of reality to bring him down to Earth a bit...here is a list of other stuff he cannot do (not exhaustive):
1. Build a VM and install Windows in it.
2. SSH into a Linux server and get the IP address.
3. Understand the symbols on a network diagram.
4. Shutdown Windows using the command prompt.
5. Explain what a package manager is.
6. Tell me what port 80, 25 and 23 are and which ones should be disabled and why.
7. Define the acronym "NAT".