Comment by cptskippy

7 days ago

Maintaining Cybersecurity Insurance is a big deal in the US, I don't know about Europe. So vulnerability disclosure is problematic for data controllers because it threatens their insurance and premiums. Today much of enterprise security is attestation based and vulnerability disclosure potentially exposes companies to insurance fraud. If they stated that they maintained certain levels of security, and a disclosure demonstratively proves they do not, that is grounds for dropping a policy or even a lawsuit to reclaim paid funds.

So it sort of makes sense that companies would go on the attack because there's a risk that their insurance company will catch wind and they'll be on the hook.

4 comments

cptskippy

Reply
lucb1e  7 days ago

It's not generally good financial advice to pay the overhead of an insurance company for costs you can easily pay yourself (also things like phone insurance, appliance warranty extensions, etc. won't make your device last longer and the insurer knows better than you what premium covers the average repair costs plus a profit margin). If you have a decent understanding of where the line is between vulnerability disclosure and criminal activities, fronting any court fees and a little bit of lawyer time (iff you can afford these out of pocket) until you're acquitted should be the better route, assuming anyone even ever takes you to court

  • cptskippy  6 days ago

    > It's not generally good financial advice to pay the overhead of an insurance company for costs you can easily pay yourself

    For a lot of companies, a lawsuit would be the end of them even if it's not financial ruin. Often times the decision to purchase insurance isn't made by the CEO but rather by the board of directors.

    Board directives are often why you see companies adopting or trending towards certain activities that don't necessarily make sense. They might be at the benefit of a member of the board or one of the other companies they chair.

pixl97  7 days ago

Heh, what insurance company you use should be public information, and bug finders should report to them.

  • cptskippy  6 days ago

    I wonder what that might reveal. Often decisions are made at the direction of the board of directors. I have to imagine they would be opposed to such disclosures as it might shine poorly on them.