Does DeepSeek have a bug bounty program I'm not aware of with a clearly defined scope? It appears that Wiz took it upon themselves to probe and access DeepSeek's systems without permission and then write about it.
If you do this and the company you're conducting your "research" on hasn't given you permission in some form, you can get yourself in a lot of hot water under the CFAA in the USA and other laws around the world.
Please don't follow this example. Sign up for a bug bounty program or work directly with a company to get permission before you probe and access their systems, and don't exceed the access granted.
Posturing huh? Nice. That was intended to be helpful. Go read the CFAA. What they did is, believe it or not, illegal. I didn't make the law, and many think the CFAA is ridiculous, but that's how it works. If you even access a computer system beyond what you've been granted it's a CFAA violation with stiff penalties.
>The Department of Justice today announced the
revision of its policy
regarding charging violations of the Computer Fraud and Abuse Act (CFAA).
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
You're correct, this is not so black and white as you originally established. Glad you came around!
And yes, it's posturing if you wax on from such a pedestal without even reading the first paragraph of the article, which addresses your legitimate concerns.
They left open a publicly exposed database... I'm sure they informed the company about this before publishing their post. Why are you blaming Wiz for this?
I agree to your comment, but also there's probably an unspoken gentleman's agreement that DeepSeek fixed the issue and won't pursue legal action against Wiz, since they were helpful and didn't do anything malicious.
I did the same a while ago, an education platform startup had their web server misconfigured, I could clone their repo locally because .git was accessible. I immediately sent them an email from a throwaway account in case they wanted to get me in trouble and informed them about the configuration issues. They thanked me for the warning and suggestions, and even said they could get me a job at their company.
The CFAA is a US law. Assuming you break it, in order for that to matter, an American prosecutor needs to find time to prosecute you for doing so. Does Deepseek have any American presence at all?
Likewise, there may be Chinese laws were violated. However, outside of China they are a moot point.
If you do this and the company you're conducting your "research" on hasn't given you permission in some form, you can get yourself in a lot of hot water under the CFAA in the USA and other laws around the world.
Please don't follow this example. Sign up for a bug bounty program or work directly with a company to get permission before you probe and access their systems, and don't exceed the access granted.