A good way of determining how seriously an organization takes security is to look for any kind of security incident report page or security contact info. Bonus points for publishing a GPG key for the security account. Pretend you have a found a security issue in their system and look for how to they want that reported.
Also. Unresponsive companies like this contribute to the volume of people who don't bother with responsible disclosure and just go straight to full disclosure, anonymously or not.
Companies need to see a hit on their bottom line or a breach in their own security before they take it seriously, as has been demonstrated time and again.
That tells me that you've got a security team (even if its one person who wears other hats too), and it implies that anything encrypted with that key will be forwarded to your security team instead of being triaged by front-line support staff.
It definitely lends creedence to your Application Security offering.
Yeah, I don't know what happened. I got those last night and I SSH'd in and there were no problems on our end: Both nginx and php5-fpm were running clean as a whistle, no error log entries, etc. :\
Also. Unresponsive companies like this contribute to the volume of people who don't bother with responsible disclosure and just go straight to full disclosure, anonymously or not.
Companies need to see a hit on their bottom line or a breach in their own security before they take it seriously, as has been demonstrated time and again.