Security News > 2020 > October > 305 CVEs and Counting: Bug-Hunting Stories From a Security Engineer
So I scrolled up to one of the one of the SGI systems, typed in LP, hit enter and said, "Thanks, I don't need to log on. I already got one." My manager one swung around on his chair and he goes, "How did you do that?" And I said, "I know IRIX systems have an LP account that has no password by default on all the systems." And he looked at me and he says, "Would you be willing to do security for us?" And I said, "I was hoping you'd say that." So from then on, I was the unofficial penetration tester for this network that was literally untouched by any security person, I think ever.
He's like, you understand that, that, you know, security is important.
I know, too, you know, you were talking a little about reporting CVES to MITRE and I know, you know, they were that whole, the whole concept of CVES was introduced in the 1990s to, you know, really identify these these public software flaws, and especially as they were starting to increase in number and frequency.
You kind of thought, Well, why didn't this happen earlier? But, you know, it's just an evolution, I guess, of developing, you know, practices for security industry.
I think you have to be careful if the company doesn't have a bug bounty program, and they say, hey, look, you know, we're sorry, we don't have a bug bounty program, we can send you a couple of T shirts, and a water bottle, and some swag, some stickers, but that's about it.