Re: Does anyone take this seriously?
Couldn't agree more.
I've properly disclosed bugs, vulnerabilities and exploits many times over my career (spanning 20 years) and in my experience, it is quite common for software developers to take it personally and completely lose their shit...it is also quite common for software developers (those with an MSc or a PhD from certain institutions) to look down and sneer then try and convince me that I must be mistaken because of "do you know who I am?".
I've had a few scuffles with the police and lawyers in my time over vulnerability disclosures. It never goes anywhere, but it is a massive waste of everybody's time...all of this is very UK centric though...I find if I disclose things to companies outside the UK, it is less hostile...the US for example, it is pretty common to be paid and asked to assist with the fix...usually in Blighty you're told to shut up, sign an NDA and fuck off.
My top 3 wankers of all time were Cambridge educated. Two MSc one PhD. The number 1 was the PhD guy who consistently denied the existence of a SQL injection bug...I was a lot younger at the time and he proceeded to call me a "little bastard", "unqualified shit" and a "disrespectful caddish bounder"...the last one had my in fits of laughter in a meeting...never before or since that meeting have I ever been called a "caddish bounder"...especially not in such a serious tone...this dude threatened to call the Police on a few occasions.
Number 2 on the list was an MSc, he'd built an analytics platform from scratch that captured data while a user went about their business on the site (e.g. filling in forms etc) and then the platform would go off and scrape various social media APIs, phone directories etc...essentially building a list of sales leads with contact info. Anyway, the guy claimed his system was "bulletproof" and could not be hacked because it didn't use SQL and had many layers of protection between the external facing services and the database...long story short, the Javascript that was injected on to customer websites hoovered up literally everything without sanitising it...you could get it to suck up arbitrary Javascript that you placed in a text field, and the backend customer dashboard would arbitrarily execute it when it tried to render it...at no point along the chain was anything checked or sanitised...my first demonstration, because I could tell this guy was a prick, was to just inject arbitrary text on to the dashboard...unimpressed he decided to brush it off, so I highlighted that this could be much worse...he then flew off the handle, accused me of wasting his time and he bet me £100 that I couldn't manipulate the backend dashboard in any meaningful way...so I injected some harmless JS that would display an alert with "hello world" in it in the browser console...again "So what? I'm keeping my £100"...so I said, alright, double or nothing I can deface the dashboard and trap your crawlers somewhere...he laughed his ass off at me and took the bet...he sent me a picture of a very large rubber penis and told me "Get this picture of yourself on the dashboard, and I might pay you"...Needless to say, his database was absolutely chock full of that particular image within about 10 minutes, and because of the way his crawlers followed links, I had 6 out of his 8 crawlers looping around a page I set up constantly ingesting the image he sent me. Needless to say the dude absolutely flipped his lid...by this point, I'd spoken to his business partner and someone I knew who was an investor in the business....I was never hired to fix the bug, rewarded for finding it or even acknowledged for it...not one person said "thanks"...but about 3 months down the line I was informed that all funding into the business had been withdrawn, the company went tits and the MSc guy decided to go into teaching...I'm not sure where, but he was teaching at a university somewhere...presumably creating new generations of self obsessed, utterly useless twats.
Anyway, my point is, too many overqualified people in the business take disclosures personally and they are very quick to dial shit up to 10 and invoke our shitty laws to keep the problem under wraps and never actually deal with it.
These days, if I find a bug, I just don't bother disclosing it to the lead engineers / devs...I disclose directly to the CEO (if it is even possible to contact them) and go through them...it attracts even more ire from the technical folks, but at least you have some level of confidence that you won't be shafted by an obnoxious over confident charlatan of a developer.
What would really go a long way, is developers not taking things personally...I don't know the timescales you were working to or the budget you had...I'm not there to make you look bad...I'm there to help...if you were fucking smart, you'd use a bug disclosure as evidence that cutting corners leads to problems and leverage the situation to change internal aspects of your development and testing process...that I can get onboard with...assuming that you are hot shit because of where you studied and the paperwork that you hold though and swinging your dick around...you will lose all respect immediately...especially if you are an older professional...because not all that long ago the curriculum at most universities for Comp Sci / Software Development was shit...so shit, that the vast majority of engineers / developers didn't bother going to university, because it would have been 5 years spent learning nothing useful which would put you at a 5 year disadvantage against other professionals...not to mention, you'd also be in debt...we're an industry full of pragmatists...it isn't often the case that people with fewer qualifications in our space are "talentless fuckwits", quite the contrary in fact...many people in this space have few to zero academic qualifications because any pragmatic thinker would weigh up the pros and the cons and make a decision accordingly...because this is an industry where your skills and abilities far outweigh the paperwork you can wave around...the paperwork can more often than not set you back in a big way...because the minute an actual engineer gets a whiff that you're trying to leverage a qualification without demonstrating anything, you are on his shit list...you get a lot further in this industry by simply demonstrating your skills...if you come to me and explain something without demonstrating it, I won't take a lot of notice (I would have about 20 years ago, because search engines and the like weren't a thing, so writing something up had some value)...but because Google / YouTube exists, a simple explanation will not suffice...if you come to me and confidently show me, I'll take notice and I'll take you seriously.
To give you some actual real world examples of why acadmics are generally shit...my nephew recently got his BSc (hons) in Computer Science (Network Engineering)...I'm proud of him, of course...but I did put him to the test...he came round after graduating and I gave him a length of CAT6, two RJ45s and a crimping kit and asked him to make me 1m patch lead...he could not do it...but he has been led to believe by his lecturers that he is ready for a management position in the tech industry...I am planning on throwing him in at the deep end at some point, to give him a nice dose of reality to bring him down to Earth a bit...here is a list of other stuff he cannot do (not exhaustive):
1. Build a VM and install Windows in it.
2. SSH into a Linux server and get the IP address.
3. Understand the symbols on a network diagram.
4. Shutdown Windows using the command prompt.
5. Explain what a package manager is.
6. Tell me what port 80, 25 and 23 are and which ones should be disabled and why.
7. Define the acronym "NAT".