My favorite part about operating a responsible disclosure program is all the drive-by Indian "security researchers" who copy paste OWASP best practices and then go silent when you ask them to provide a practical demonstration that their reported vulnerability is actually exploitable against our infrastructure. 🙄
Discussion
Man I get this all the time. They just share ‘findings’ about missing HTTP response headers that have been picked up my nmap scripts and vulnerability scanners.
It’s up to you to do the needful.
Worked at a very large insurance company for nearly two decades that went through multiple stages of outsourcing to those big Indian firms that dominate the IT space. Ended up becoming friends with some of them over the years and ended up finding out salaries as well as how they were able to provide so many "qualified" bodies since they came at 5 or 10-to-1.
Was shown their vast PCE dump libraries on pretty much every vendor and technology. On top of that, they had an onsite testing facility where you could just retake until you passed. Bonafide cert mill.
Once the ink was dry, it didn't matter if they were paper techs because they usually had a couple dudes that actually knew their shit and would carry the contract. Those guys usually ended up stateside getting paid what they were actually worth.
nostr:note1l5kkww3mvjvfzm8qrjrn5084egtwx57vvmrsqdgnxkrwu8jgtu5sheq5xz
PoC||GTFO