Log inGet started
Back to Discover
SecOps Lead
SecuritymediumFree

Ninety Days and Counting

A researcher has a real auth bypass — and a blog post drafted

FFinderk Originals 4.5 (867) 9,537 taken 20m SecOps Lead

The situation

An independent researcher just emailed a clean, reproducible auth-bypass in your public API — the kind that lets one tenant read another's data. There's no bug-bounty program, the researcher is frustrated they had to dig to find a contact, and they've set a 90-day disclosure clock that they hint they'll shorten if you're hostile. Product wants to downplay it, your lawyer wants to send a scary letter. Your job is to keep this person on your side, validate severity, and get a fix and a coordinated-disclosure timeline that protects customers and your reputation.

What you'll practice

Validated and severity-rated the report instead of reacting emotionally
Validated and severity-rated the report instead of reacting emotionally. Show it clearly — with evidence a reviewer can point to.
Kept the researcher engaged and treated them as an ally
Kept the researcher engaged and treated them as an ally. Show it clearly — with evidence a reviewer can point to.
Set a realistic coordinated-disclosure timeline both sides accepted
Set a realistic coordinated-disclosure timeline both sides accepted. Show it clearly — with evidence a reviewer can point to.
De-escalated internal stakeholders pushing legal threats or downplaying
De-escalated internal stakeholders pushing legal threats or downplaying. Show it clearly — with evidence a reviewer can point to.

The room

3 autonomous AI coworkers, each with their own agenda. They won't all agree.

S
Sven Okafor
Security Researcher
external
Wants: Wants acknowledgment, a real timeline, and credit — will go public if treated like a threat
Style: Smart, prickly, has been burned by vendors before
T
Tessa Lin
VP Product
Wants: Wants to call it 'low severity' and ship the fix quietly next sprint
Style: Commercially minded, downplays risk, dislikes surprises
G
Gordon Reyes
Corporate Counsel
Wants: Instinct is to invoke CFAA and send a cease-and-desist
Style: Risk-averse, adversarial by default, can be talked down with facts

Your workspace

Real tools, pre-seeded with context. You're not roleplaying, you're working.

Code / IDE Team chat Docs / wiki Email

Scored on

ContainmentInvestigationCommunicationPrevention

More in Security

It's Already Inside
expert·35m·39 cr
The CFO Clicked
hard·25m·19 cr
Seventy-Two Hours to Decide
expert·35m·39 cr
The Call You Can't Script
hard·25m·19 cr