Does anyone else collect mementos from successful hacks?

Its saved in a folder named “hackety hack hack”

Absolutely not.

You’re performing freelance work for an organisation, it’s your responsibility to appropriately remove this content post-engagement (in this case, report). At minimum, hold it only offline and encrypt.

In this case you’ve synced this to a cloud based resource. Were you compromised, or your Google account compromised, so would all that information be. This isn’t whitehat, it’s very decidedly grey, I’d suggest removing it - or at least renaming your folder.

I know this is an older post, but I would have to agree with codingo. Most companies have rules in place explicitly asking that you destroy information about vulns etc after reporting. Atleast on alot of the private/on demand programs I have seen. Keeping that type of information can open yourself up to all sorts of issues ranging from being compromised and losing the information to a threat actor, or even in the courts depending on the information retained etc. I would highly recommend against this practice and to make a habit of removing even screen shots from past engagements after things have been resolved, unless permission is received in writing from the program to retain it (for example for writing a blog post).

1 Like