Every now and then I get bored and start poking around looking for publicly exposed API keys and credentials. I ALWAYS find something. It's kind of sad. I want to help developers be better :-(

Thing is ... I do this on my own time and on my own dime and, more often than not, people freak out thinking I hacked them and threaten me with legal action. For helping them out.

Imagine someone calling the cops on you because you picked their wallet up off the ground and handed it to them. Same thing. Makes me really _not_ want to help at all sometimes.

This time, it was almost a dozen API keys for Mandrill that I found. Added to the half dozen I reported last summer. I'm confident the team there will shut things down and take appropriate action with their customers.

But ... I _really_ wish there were an incentive to doing this.


I like to think I'm a good person and that I'll always do the right thing. But it's ... hard to go out of my way to do the right thing when there's zero financial incentive (and the high potential of legal threats) involved.

Sign in to participate in the conversation

Invite-only community of developers, builders, makers, and tektons.