HackerTrans
TopNewTrendsCommentsPastAskShowJobs

deep_thinker26

no profile record

Submissions

Ask HN: How do you read 1K+ comments in a HN thread

2 points·by deep_thinker26·6 miesięcy temu·7 comments

Ask HN: I own wtf.store -what to build that makes people say WTF (in gud way)?

3 points·by deep_thinker26·w zeszłym roku·1 comments

Ask HN: Bug Bounty Dilemma – Take the $$ and Sign an NDA or Go Public?

22 points·by deep_thinker26·w zeszłym roku·14 comments

comments

deep_thinker26
·7 miesięcy temu·discuss
It's so great that they allowed him to publish a technical blog post. I once discovered a big vulnerability in a listed consumer tech company -- exposing users' private messages and also allowing to impersonate any user. The company didn't allow me to write a public blogpost.
deep_thinker26
·8 miesięcy temu·discuss
Location: Dubai, UAE

Remote: Yes

Willing to relocate: Yes

Technologies: Agentic AI, Typescript, NodeJS, Python, ReactJS, Postgres, Docker, K8,

Résumé/CV: http://aaditya.cc/resume

Email: [email protected]

Experience: 4+ years

Product-focused Software Engineer with 4+ years of experience delivering production-scale systems across early stage startups and global tech companies. Proven record in 0→1 development, scalable infrastructure, and ML-powered product features – driven by speed, clarity, and focus on end-user impact.
deep_thinker26
·w zeszłym roku·discuss
thanks for the reply - really appreciate it. I get the sense of what you are indicating and it makes sense as well. Also I am not security researcher, but a software engineer who tinker around with other apps
deep_thinker26
·w zeszłym roku·discuss
I am not a security researcher - a full stack engineer who likes to look for vulnerabilities in my free time
deep_thinker26
·w zeszłym roku·discuss
Thanks for the reply — really appreciate it.

The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.

I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.

I’m leaning toward a public write-up after giving them fair notice.

One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.
deep_thinker26
·w zeszłym roku·discuss
Thanks for the thoughtful reply — really appreciate it.

I actually stumbled upon the vulnerability without any prior request. They don’t have an active bug bounty program, and the Head of IT Security I’m in touch with mentioned they don’t have dedicated funds for security researchers — which is hard to believe for a company with a £200M+ market cap.

I’ll definitely dig a bit deeper into the legal side.

Based on all the suggestions here, I’m leaning toward quoting them a fair amount considering the impact. If they don’t agree, I’ll likely reject the NDA and do a public write-up after a reasonable disclosure window.

One thing I forgot to mention earlier as of today — the vulnerability is fixed (I reported it around 3 weeks ago), not sure if that changes anything leverage wise.
deep_thinker26
·w zeszłym roku·discuss
How AI ( LLMs, Agents ) can help you?