The Chaos Computer Club offers proxy services for vulnerability disclosures, as they also have a legal team that can help you. It's totally anonymous, create a shitty randomized protonmail or whatever for it and you're set.
I am never filing any vulnerability disclosure under my real name and neither my pseudonym. I've learned this lesson the hard way. Incompetence gets never punished, because intentions do not matter in front of the law - and especially not in front of a criminalizing-by-default law.
Only mad men file responsible disclosures under their real name and risk going to prison because of barbaric laws. Don't be that fool.
While the point that 2FA can also be a risk is fair, that article has some fairly horrible advice.
His long, unbreakable password that he only knows by heart can be leaked by any of the services he uses it for, if he uses it for more than one.
Weak password + name of the service is one of the first combinations tried by attackers.
Random complex password but relying on e-mail recovery for unimportant and rarely used services, instead, seems ok (but it takes very little to save a password in a password manager).
It's not a great look that his site doesn't support tls, by the way
I guess that one of the takeaways is that Belgian systems and services are significantly more likely than average to have vulnerabilities, so you should stay away from them.
Not sure why they author wants to tell the world xxx org had a business logic vulnerability and I found it. The rest was OK, but why the need to talk about that type of vulnerability? It's a one-off. Also, making the existence of it public might draw others to their site looking for more.
The Chaos Computer Club offers proxy services for vulnerability disclosures, as they also have a legal team that can help you. It's totally anonymous, create a shitty randomized protonmail or whatever for it and you're set.
I am never filing any vulnerability disclosure under my real name and neither my pseudonym. I've learned this lesson the hard way. Incompetence gets never punished, because intentions do not matter in front of the law - and especially not in front of a criminalizing-by-default law.
Only mad men file responsible disclosures under their real name and risk going to prison because of barbaric laws. Don't be that fool.
[1] https://www.ccc.de/disclosure
Check this out also: http://mikhailian.mova.org/node/295
CCB does some strange things indeed.
While the point that 2FA can also be a risk is fair, that article has some fairly horrible advice.
His long, unbreakable password that he only knows by heart can be leaked by any of the services he uses it for, if he uses it for more than one.
Weak password + name of the service is one of the first combinations tried by attackers.
Random complex password but relying on e-mail recovery for unimportant and rarely used services, instead, seems ok (but it takes very little to save a password in a password manager).
It's not a great look that his site doesn't support tls, by the way
I guess that one of the takeaways is that Belgian systems and services are significantly more likely than average to have vulnerabilities, so you should stay away from them.
Sounds onerous & a fair bit of the requirements add nothing.
Laws on the books rarely change, plenty of places have silly leftovers like laws about where you can park your horse.
it applies to me even if I am not a citizen of Belgium and don’t live in Belgium
Stay anonymous, look up extradition laws to be extra-safe.
qrd: if Belgium gov gets hacked they fully deserve it
> coordinated vulnerability disclosure
And I was thinking it was a disease.
Please don't help this country. It needs to fall apart.
[dead]
Not sure why they author wants to tell the world xxx org had a business logic vulnerability and I found it. The rest was OK, but why the need to talk about that type of vulnerability? It's a one-off. Also, making the existence of it public might draw others to their site looking for more.
Many people like talking about what they do for work, or their hobbies.