Mastodawn

New by me: I analyzed the websites of America's top companies (aka Fortune 100) and found dozens of companies don't have any easy way to report security flaws to them.

Of the companies that _do_ have vulnerability disclosure policies, half don't actually pay for bug reports.

I break down the data in my new article: https://this.weekinsecurity.com/dozens-of-americas-largest-companies-have-no-simple-way-to-report-security-flaws/

My cyber newsletter also goes out weekly. Sign up/RSS: https://this.weekinsecurity.com

Dozens of America's largest companies have no simple way to report security flaws

New analysis shows that around one-third of America's Fortune 100 companies do not have a vulnerability disclosure policy, bug bounty, or a dedicated email address for reporting security flaws.

~this week in security~

Show thread

dade

@zackwhittaker I’ll absolutely pay for submitted actually useful bugs, but putting a payout chart on the website invites an onslaught of “Hello you are missing this security header that hasn’t been relevant in 10 years” submissions and other dumb things like “I can use dev tools to change the response from the server and see the react app” — moreso than simply existing on the internet already invites that low-effort low-quality stuff.

It’s an interesting economic balance to strike - and I don’t even mean the money for the payouts. That’s the easiest part.

Show thread

gh0sti

Jun 20

@dade @zackwhittaker and now people are automating those requests with AI slop which makes it 1000x worse.