Re: Entitlement
Far too many organizations, large and small, fail to deal with external security researchers properly. Attacking them is a sign of a failed company. Don't buy their products; they're not actually interested in security.
When you're contacted by a researcher, or see a public disclosure of a possible vulnerability in one of your products, you must treat that as a genuine problem in the product until you've evaluated it. And being reasonable and diplomatic with the researcher - even if you feel the researcher is being unreasonable, even if you feel the situation is extortionate - is absolutely necessary. Your job is to get as much information as possible. In the extraordinary case where there's some grounds for a legal complaint, that's a matter for after you have the vulnerability confirmed or refuted, and a fix ready if it's real. And then it should be handled by lawyers, and your lawyers should know how to make a proportionate response that won't turn into a PR nightmare.
Every company with an IT product to sell needs someone on PSRT duty, and that person needs to be trained appropriately and temperamentally suited for the job. Small firms don't need a dedicated PSRT team, but they do need at least one person who understands disclosure practices and responses. And everyone else, including directors, needs to stay the hell away from these situations.
Biting the hand that feeds IT
