Here's Renee Burton's (at Infoblox) comment on Philippe Caturegli's post on LinkedIn:

"When we contacted DNS providers about sitting ducks attacks ONGOING in their network via lame delegation... some responded with aggression and others with ambivalence. no criminals were disrupted and it was a waste of our resources even though it was the right thing to do."

And I can personally vouch that's mostly my experience and expectation as well, and not just for DNS issues.

I reported a vulnerability to Amazon last year. I got initial response within 24 hours. And follow up emails every week until it was patched. Was kind of well handled.

They don't do bug bounties though

The common issue I notice amongst companies that fail to admit fault is that they are _public_. Admitting fault means a poor market signal. Poor market signal means leadership perceived as inept and “failing to deliver shareholder value”.

Of course this isn’t unique to public companies. Have seen private companies do the same for less to avoid embarrassment or perhaps they think it would harm their IPO

> Example of the first: if your mail server uses the default-Windows-2016-TLS stack, Facebook's mail servers will immediately disconnect after issuing a STARTTLS command and receiving your server certificate. Why? No idea, everyone else seems to be fine, but this has been ongoing for years.

Ok, nerd sniped. I can't likely get this fixed because I don't think I have any FB contacts for outbound mail, but I want to see a pcap and have a look at the TLS negotiation, if you provide the server hostname so I can run more starttls trials, that would also be neat. email in my profile.

But yeah, good luck getting a response to big tech, I just want to know!

In theory, facebook should have a postmaster that would look at email issues, but probably nobody looks at that address cause it's mostly junk.

I have with Apple. Got a very generous bounty that paid for my university though it did take close to a year