Data Protection Act agreement

After speaking to a security engineer on a Friday at 21:00, I walked him through step-by-step and explained to him what the problem was and how to solve it.

Virgin resolved it, but unfortunately despite talks of some sort of recognition for my work, I was informed the following Monday I would not receive a reward nor public recognition. Virgin told me: “ Virgin will not comment on this”, “At the moment there is no programme to reward people for finding vulnerabilities”, “We can’t give you a preference over other candidates since it’s unfair”. They did however said thank me a number of times on the phone and via emails.

The problem is patched now but had I been someone with malicious intentions, I could have done a lot more and might not have reported it at all. Maybe we should try to promote a more open approach where people are being rewarded for good actions and public recognition through open media rather than trying to hide the fact that sometimes we all make mistakes.

EDIT 1 ( 23rd of October 07.38)

Just wanted to clarify the vulnerability has been patched(a while ago) and I am writing this afterwards. Also I did receive a thank you from them number of times on a phone and by email.

Virgin Media were told by me long beforehand that I would like to write a blog post. I was told there will be no comment issued from them.

The goal of this post is to promote more openness and try to suggest to companies should look into their security and maybe reward anyone who finds something wrong and reports it. Vulnerabilities should not be publicly disclosed until patched and spoken about publicly disclosing them.

The post was not made to promote against Virgin Media. I applied there, why would I apply for a job at a company if I didn't want to work there? I respect Virgin Media and I still have their VR glasses given to me at job fair :)

EDIT 2 (23rd of October 19.30)

WOW

Also someone posted a link to my article, which hit 265 upvotes on r/tech

https://www.reddit.com/r/tech/comments/58vt6x/vulnerability_in_virgin_media_website_exposed/

EDIT 3 (24th of October 21.59)

Just hit 5k wow

5

Also IB Times wrote an article about this story:

EDIT 4 (1st of November 14.17)

Here is a list of all news agencies who covered the story

Also 306 shares on Linkedin