> If you're some IT related person that does something else as your primary job this may or may not be fine if the FBI shows up and starts asking lots of questions about all kinds of things.
This is exactly what I tell my coworkers who are getting into security. Keep your mouth shut about anything you find unless you have a reporting channel that leads to a "well lawyered" security company.
I've found vulnerabilities that I would have loved to disclose, but being a lowly IT generalist, I'm not going to stick my neck out. I can't imagine my employer would like the press.
I use one-off email addresses at my personal domain and historically warned companies that I was seeing spam to one-off addresses as possible indications of a data breach. By and large I was ignored, but occasionally I received a word of thanks. Even more occasionally I received notes of thanks that, in fact, I had uncovered a data breach.
Once, however, I received a nasty response insinuating that I'd breached their systems. The person I contacted didn't, apparently, understand what I was saying. They were confused that their company name was to the left of the "@" in my email address.
That was enough for me. I decided I was done reporting those events. Too much risk.
I sign-up for a service using "123abc-theirdomain.com@mydomain.com" as the email address. Messages to that address come to my "Inbox". I don't use the address for anything else. I never send a message with that address.
Years pass.
I start receiving email solicitations for erectile dysfunction remedies and, oddly, woodworking plans (what is it with the spam for shed plans?) to that address.
Either my address was sold or a data breach occurred.
(It could have been my own data breached, but it seems unlikely, if that did happen, that the result would be me receiving spam only to that one specific address.)
This is exactly what I tell my coworkers who are getting into security. Keep your mouth shut about anything you find unless you have a reporting channel that leads to a "well lawyered" security company.
I've found vulnerabilities that I would have loved to disclose, but being a lowly IT generalist, I'm not going to stick my neck out. I can't imagine my employer would like the press.
I use one-off email addresses at my personal domain and historically warned companies that I was seeing spam to one-off addresses as possible indications of a data breach. By and large I was ignored, but occasionally I received a word of thanks. Even more occasionally I received notes of thanks that, in fact, I had uncovered a data breach.
Once, however, I received a nasty response insinuating that I'd breached their systems. The person I contacted didn't, apparently, understand what I was saying. They were confused that their company name was to the left of the "@" in my email address.
That was enough for me. I decided I was done reporting those events. Too much risk.