Where is the world going if everyone feels threatened over nothing at all…
Feel free to email me at editor@exegy.today.
So I have been thinking about how Exegy felt threatened by me reaching out to their customers to see if they have a bounty program for their outside vendors and disclose discoveries to them.
Sure they hate having their customers be aware of their security issues and the amount of time and resources they will have to use to fix them, but at the same time it helps build a more secure environment for them.
If a customer has to wait for a company to disclose those flaws and vulnerabilities to them, how can they ever prepare and design some kind of risk management for potential issues that could affect their own business.
It does make me wonder if anything was ever disclosed to Exegy, what kind of precautions do they have in place for telling their customers how they should deal with any such issues being disclosed to them until they have a fix or the types of things they should monitor.
Do they just inform them and hope those potential issues just don’t happen… or do they design a plan for how they can take precautions. What if they have a bad actor in their own company that might see those issues and use them for their own mental or monetary gain.
I do not see issues with a company's customers being informed of potential issues their vendors might have, it helps them get ahead of the curve before a potential disaster could strike.
Sure the company might not like the reputation it could bring, but that is only because they don't know how to handle the matter professionally.
Look at Microsoft… They have tons of bugs and issues at times and no one really cares. That's because they try their best at being professional about them and laugh at the jokes people pass around.
Would Exegy get mad if someone reached out to them about flaws regarding their firewalls or would they reach out to their vendor to see if it was disclosed or if it needed to be reported, who knows because I tried to talk about KnowBe4 issues they pushed me off to Mitire when KnowBe4 wouldn't help.
This whole situation between Exegy and I has taught me a lot about the legal landscape a security researcher should actually use, but at the same time it showed me that depending on the type of sector a business is in, it could potentially cause more harm to them and who really wants to do that.
This is all due to fines and penalties that can be pushed on top of them, even though they should have been aware of that from the beginning.
The landscape has changed drastically over the years and things have changed. I believe companies should be required to be fully transparent with bugs and issues with one another when it comes to being part of the critical infrastructure, this way we can keep each other aware of potential security issues.
If you are scared about this and can't stand the jokes and reputation it could bring your company, then obviously you don't care enough about your product to make your consumers feel safe and secure.
Obviously there is no agency that checks if a company is setting the right policies and security in place when being part of it. It only seems to warrant investigating a company when Whistleblowers speak out about it.
Who actually wins from that, just the government agencies that demand the company pay in fines, when really that money could of benefits company instead.
Why should any company get harmed in this way, you almost think there should be some agency that does periodical checks every so many years for certain types of companies, because maybe they aren't even fully aware of the evolving legal framework and regulations that get pushed out every so often.
Where is the world going if everyone feels threatened over nothing at all…
