I understand why the author thought that way, but showing up with private data that the company is obligated to protect complicates things quite a lot more.
I've dealt with security issues a number of times over my career, and I'm genuinely unsure what my legal obligations would be in response to an email like this. He says the company has committed "multiple GDPR violations"; is there something I need to say in response to preserve any defenses the company may have or minimize the fines? What must I do to ensure that he does eventually delete the customer data? If I work with him before the data is deleted, or engage in joint debugging that gives him the opportunity to exfiltrate additional data, is there a risk that I could be liable for failing to protect the data from him?
There's really no option when getting an email like this other than immediately escalating to your lawyers and having them handle all further communication.
I understand why the author thought that way, but showing up with private data that the company is obligated to protect complicates things quite a lot more.
I've dealt with security issues a number of times over my career, and I'm genuinely unsure what my legal obligations would be in response to an email like this. He says the company has committed "multiple GDPR violations"; is there something I need to say in response to preserve any defenses the company may have or minimize the fines? What must I do to ensure that he does eventually delete the customer data? If I work with him before the data is deleted, or engage in joint debugging that gives him the opportunity to exfiltrate additional data, is there a risk that I could be liable for failing to protect the data from him?
There's really no option when getting an email like this other than immediately escalating to your lawyers and having them handle all further communication.
> is there something I need to say in response to preserve any defenses the company may have or minimize the fines?
Company should have SOPs for this.
He downloaded data of multiple users
Yes, that’s the PoC.
Seemingly it could have been scoped tighter.
But complaining about the methodology your (successful, free, overdue) penetration test is wild.
You can lead a horse to water, as they say.
Suicidal horses who won’t drink pose little risk to other innocent horses!