The failure mostly seems to be in the support triage/escalation process failing to recognize this needs to be escalated.
One thing that probably doesn’t help is that there are a crapton of script kiddie “security researchers” sending you silly uninformed “security reports” in the hope of a free t-shirt or whatnot as a “bounty”. The recent Hacktober thing reminded me of that. Most of them were just spammy non-issues, but people keep asking for free shirts and the like anyway, typically sending many follow-ups.
The funniest I ever got was some person sending a YouTube video demonstrating some non-issue and typing in Notepad to explain (with much backspace use, no audio). The entire thing was about 6 minutes and absolutely hilarious. I wish I had saved it.
This is at my last job, which is just a small/medium B2B SaaS company you probably never heard of (yet large enough to attract these people, it seems). It’s not a well-known company or anything, and I must imagine Grindr gets much more of this spam.
Yes, there are a crapton of “script kiddies” out there, but then again there are some serious issues that can be found by script kiddies. Using GitTools for example.
I, a script adult ;), have had quite a hard time reporting the repositories I found by running this script for domains in the .nl range. I found a common pattern of website-builders that were vulnerable(with database credentials in the repo…).
Yeah, but you (presumably) know how to interpret the results of the tools and generally know roughly what you’re talking about. The problem we had is that people would run some script and then send us the results as soon as it showed a “possible error”, but this was never really applicable to the situation (as we ran the tools ourselves, too).
For example the amount of emails we got with “ur site isnt having CSP header, plz sent shirt” for our public website is staggering.
Fair enough, the analysis of the results is definitely a necessary step.