Casino Accused of Withholding Bug Bounty, Then Assaulting 'Ethical Hacker'

An anonymous reader quotes Ars Technica:
People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it's less common for such situations to turn into tense trade-show confrontations -- and competing claims of assault and blackmail. Yet that's what happened when executives at Atrient -- a casino technology firm headquartered in West Bloomfield, Michigan -- stopped responding to two UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers -- Dylan Wheeler, a 23-year-old Australian living in the UK -- stopped by Atrient's booth at a London conference to confront the company's chief operating officer.

What happened next is in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of attempted extortion.

The debacle culminated in legal threats and a lot of mudslinging, with live play-by-play commentary as it played out on Twitter.

Ars Technica calls the story 'practically a case study in the problems that can arise with vulnerability research and disclosure,' adding 'the vast majority of companies have no clear mechanism for outsiders to share information about security gaps.'

A security research director at Rapid7 joked his first reaction was 'man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty.' But they later warned, 'It's on us as an industry not only to train corporate America on how to take disclosure, but also we need to do a little more training for people who find these bugs -- especially today, in an era where bug outings are kind of normal now -- to not expect someone to be necessarily grateful when one shows up.'

Read more of this story at Slashdot.