This mentality really bothers me -- your "don't bother me with your trifling banalities" snooty attitude is what makes it impossible for people like me to feel safe in reporting major leaks of health information. If you don't want to deal with it, find a new job.
If you think the other end is going to blame you for the data leak.. yeah? What other options are there?
You could report it anonymously but I'd have thought a HN user would come up with that option by themselves. Just in case though, you could report it anonymously.
Blame for a leak isn't the problem if a leak never happened, since the goal is to _prevent_ a leak through disclosure. Your snark makes it clear that you have little to no interest in trying to see the issue from the side of the person disclosing the issue, who at the end of the day is just trying to prevent lives from being ruined through simple negligence. Yes, people obsessed with bug bounties is a thing, but in contrast to the risk of ignoring a legitimate disclosure email, who cares?
The issue here isn't that someone would be blamed for a data leak - not even a bit. The issue is that there's a good chance that panicked management won't consider the disclosure as helpful, but instead as a genuine attack on their infrastructure and will get non-technical lawyers involved. Tons and tons of people have been sued from doing this.
Giving as little information as possible is _necessary_ to reduce the risk of being sued. That you, and people like you, think that little information is a waste of time is just sad, man. Think about it from the shoes of those who try to disclose, and the lives of people whose information is in the systems that you maintain. Get off your lazy high horse, spend the hour to review their email, do your fucking job, or get out.
Ok it really feels like you're either misinterpreting what I've said to vent some anger or I've misspoke. In any case the opinion you hold of me is not representative of my attitude towards security.
Of course I want to know about security issues. Actual security issues. I don't want some script kiddie pinging me about a port that's open trying to fish for a few grand because I'm the cunt that opened it! It's not an open printer or whatever nmap is telling you, it's probably a non-standard SSH port. Something someone with skill would figure out in a second.
If you find an open printer on my networks - send a printout to it. Say hello.
