Accusations fly between a researcher and a vendor over a vulnerability and a bug bounty that was never paid

Wow.

Following a serious vulnerability disclosure affecting casinos globally, an executive of casino technology vendor Atrient has assaulted the security researcher who disclosed the vulnerability at the ICE conference in London. This is the story of a vulnerability disclosure gone bad, one involving the FBI, a vendor with a global customer base of casinos and a severe security vulnerability which has gone unresolved for four months without being properly addressed.

Read more on SecJuice. The story gets even wilder.  But is it just a story/fiction or is it accurate?

DataBreaches reached out to Atrient for a response to the story and was sent the following statement by a spokesperson, which this site is reproducing in full:

“We have become aware of false claims regarding a security vulnerability relating to one of our products and an alleged assault.

“In November 2018, one of our product sales websites was subject to a brute force attack on a demo server which contained no personal data. The extent of the attack identified demo sites that our sales department engaged.

“We were subsequently contacted by a group. This included an individual who identified himself as Dylan English, which we now know to be an alias, Guise Bule of secjuice.com, and an individual who refused to identify himself by a name. Shortly after being contacted, it became apparent that there was a financial motive for not publicising the allegations. The FBI is aware of this group.

“On 6 February 2019 we received an unscheduled visit to the Atrient stand at the ICE conference in London from one of the ‘security researchers’. He was wearing a badge which identified him as Dylan Wheeler, which we believe to be his real name. After being informed that Atrient would not pay any money he made another false accusation, this time of assault, which an ExCel Convention Centre investigation has found to be baseless.

“This matter is now in the hands of the company’s legal advisers and law enforcement. It would therefore not be appropriate to comment any further.”

Not surprisingly,  SecJuice and others dispute the vendor’s version.  Readers who are interested in the controversy can find more on Twitter, but do read this report on CBR that contains links to audio from a conference call, and the same statement that this site was sent late this afternoon.

About the author: Dissent