While white-hat hackers get paid for reporting flaws this particular researcher was reported to the police after responsibly disclosing a data leak.
Normally security researchers who find data breaches and vulnerabilities in organizations’ cyberinfrastructure get thanked for their effort in helping to make the company secure or get paid by bug bounty programs.
However, this particular researcher was reported to the police after finding a data leak in a company and informing the owner about it.
This also reminds us of 2015’s incident in which Wesley Wineberg, an independent security researcher, participating in Facebook’s bug bounty program, managed to crack his way through Instagram defenses and almost get complete control over the service.
Soon after the researcher disclosed the vulnerability to Facebook, the company threatened to sue, instead of paying the reward he was due for his work.
As for the recent incident, the security researcher goes by the name of Rob Dyke and while being a white-hat hacker, he is also an open-source advocate. In a tweet on March 8th, 2020, the researcher revealed that he discovered two public repositories on Github back in February 2021 and informed the owner of that data leak.
The repositories contained:
- API keys
- Application code
- URLs of third-party embedded items.
Following the standard procedure, the researcher decided to encrypt the sensitive data, store it, and keep a copy for a disclosure period of 90 days. In the meanwhile, he informed the data owners regarding the leak and helping him in taking the sensitive info offline.
Quite unexpectedly, at the start of March, Dyke received a notice from the owner of the organization which consisted of him being threatened with legal action for unauthorized access of their data.
However, he stated that the repositories were said to have been exposed online for two years, leaving plenty of scope for threat actors to exploit the information posted.
According to Dyke’s tweet, he decided to seek help from a tech-savvy lawyer to help him deal with this unexpected bullying from the organization that was previously thanking him for his effort.
However, since some information was still online at that time, he decided to keep everything undisclosed and didn’t reveal the organization’s name.
The researcher and the owner of the company apparently came to a resolution but then the researcher published a letter from the Northumbria Police in which they had asked him to contact them regarding a report of computer misuse.
By this time the researcher finally revealed the organization’s name which was Apperta Foundation, a United Kingdom-based company with services linked to the National Health Service (NHS).
The fact that the police were even asking Dyke to provide his side of the story shows that Apperta continued to report the event to the police, endangering the researcher and possibly putting him through a process of shaking off the consequences of a potential concoction.
At the end of the day, this story just proves how people who legitimately try to help organizations are the ones who often end up in trouble and if someone does bother to report breaches, they should do so anonymously.