So a few days ago I wrote about a bug I found in Google’s Calendar system. Mind you, this wasn’t the Earth shattering bug that would crack Google wide open, but it was a back end input validation bug.
So I did what I thought was the right thing, I reported it to Google. Mind you, they didn’t make it easy. First send an e-mail, then fill out this form, and then…. Nothing.
Nothing except they fixed the bug, and never even said thank you.
So that’s the world we live in today. Where people find bugs in software, report them, and don’t even get a thank you. Is this why people who find these bugs choose to weaponize them anonymously for cash? Because doing anything else puts the “hacker” at risk?
So what I wrote above is a pretty big jump from finding a bug, to weaponizing a 0-day, but it’s reasonable. People who find these bugs put themselves at risks, I mean look at the guy who found the AT&T bug. After only 2 years he might actually get his life back, but nothing like it used to be.
What if, instead, he had just sold the data and not told anyone. That would be bad, don’t get me wrong. But you know what’s worse. Ambivalence. Either on the side of the people who find the bugs, or the people who should be thankful for those that are responsibly disclosing them.
Hey Google, it’s called a “Thank You”… You should Google it.