Pen testers accused of 'blackmail' after reporting Eurostar chatbot flaws

Researchers at Pen Test Partners found four flaws in Eurostar's public AI chatbot that, among other security issues, could allow an attacker to inject malicious HTML content or trick the bot into leaking system prompts. Their thank you from the company: being accused of "blackmail."

The researchers reported the weaknesses to the high-speed rail service through its vulnerability disclosure program. While Eurostar ultimately patched some of the issues, during the responsible disclosure process, the train operator's head of security allegedly accused the pen-testing team of blackmail.

Here's what happened, according to a blog published this week by the penetration testing and security consulting firm. 

After initially reporting the security issues - and not receiving any response - via a vulnerability disclosure program email on June 11, the bug hunter Ross Donald says he followed up with Eurostar on June 18. Still no response. 

So on July 7, managing partner ...