Comment by mort96
4 years ago
It's also not a pen test. Pen testing is explicitly authorized, where you play the role as an attacker, with consent from your victim, in order to report security issues to your victim. This is just straight-up malicious behavior, where the "researchers" play the role as an attacker, without consent from their victim, for personal gain (in this case, publishing a paper).
Because of the nature of the research an argument can be made that it was like a bug bounty (not defending them just putting my argument) but they should have come clean when the patched was merged and told the community about the research or at least submitted the right patch.
Intentionally having bugs in kernel only you know about is very bad.
The primary difference being the organization being tested explicitly sets up a bug bounty with terms, as opposed to this.
I'll take People Who Don't Understand Consent for $400, Alex.
2 replies →