Yeah. I’d have to agree. At most companies even just stumbling on or pointing out a vulnerability in the system or product on accident is often met with more annoyance and anger than appreciation or praise. Much of the time they believe in a sort of “security through obscurity,” where if no one, or few people know about an issue- they just can leave it alone. Once you call out a vulnerability it is now known by more people, and there’s record they knew if it ends in litigation later, so they likely have to spend huge amounts of money on something that doesn’t generate profit. Yes- it saves profit- but there isn’t a spreadsheet metric used by stock holders or to calculate bonuses on the potential savings a company has made, only actual quantified measures.
Comments