A few months ago, we started promoting KLEARED4 at local B-Sides events in Puerto Rico and DC.

As part of our marketing efforts, we offered promotional T-Shirts for individuals that did one of four things:

  1. Signed up for KLEARED4 for $1.
  2. Gave us ideally positive mentions on social media.
  3. Traded for Goods or Knowledge
  4. Paid $25 for the T-Shirt.

During BSides DC 2019, we were visited by one individual that really helped put things into context. As I recall, this individual had an intense focus on the marketing materials on our booth. When I asked about if they were interested in getting a T-Shirt, the options rundown went like this:

  1. Not interested in signing up for this
  2. Not going to give ideally positive mentions on my social media since I do not know this company.
  3. Not interested in trading
  4. Not paying $25 for this

I realized what had occurred here around option 2, no one knows our small company.

And so, we are starting a new page to document our company karma levels based on pro-bono, benefic or mentionable performance over the years related to InfoSec. Somewhat like a brag sheet yet summarized where individuals interested in assessing our company karma levels can at least have some written acumen of activities to help them decide on their own and thus arrive at a more informed opinion.

That’s great, but couldn’t anyone just make this up? Absolutely.

To overcome this, we are ensuring that all information posted here has some form of evidence that could be presented in 15 minutes or less when challenged by anyone. With a heavy emphasis on limiting trolls that seek to undermine this, we will attempt this as a company.

Other companies have a charitable activities page, how is this different? We understand some larger or more established companies may provide pro-bono work to build homes for example, and we absolutely encourage homes over hackers any day. This will be different in the sense that the activities or actions covered here are designed to help improve cyber-awareness or cyber-hygiene around our communities.

We will keep a backward chronological order of these activities and would encourage other companies to follow suit.

2020: It’s a secret for now 🙂

2019:

  • Informed small local company that was sharing internal customer briefings over Vimeo.
  • Contributed subdomain enumeration of all government websites in Puerto Rico for review and incorporation into the open data.gov portal.
  • Provided free consultation for an attorney looking to pursue a defamation case.

2018:

  • Sent disclosure notifications to Judicial Branch of Puerto Rico which had IDOR resulting in exposure of court case notifications and fillings, including cases involving minors.
  • Sent disclosure notification to ISP in Puerto Rico that was exposing Full Names and Account Information for IP addresses of customers over SNMP; now fixed which resulted in an 80% drop of public SNMP information in Puerto Rico.

2017: Lead IR efforts in ransomware case in Puerto Rico. Billed earnest amount given financial situation in Puerto Rico for services performed.

2016:

  • Conducted a pro-bono Remote Incident Response training in Puerto Rico. Registration fee covered lunch.
  • Reported 4 four different phishing URLs to ARIN abuse contacts.

2015:

  • Sent two Certified letters of notifications of possible data leak vulnerabilities to a small medical provider in Annapolis and a state government office. Both were acknowledged and replied over email.
  • Sent two small companies emails to abuse contacts for malware being hosted on their domains.
  • Reported the phantom arm of a large image vendor to BBB for deceptive collection and intimidation practices.

2014:

  • Provided free consultation for an attorney looking to pursue a defamation case.
  • Provided a small local business link to then https://www.decryptcryptolocker.com/ to help recover ransomed files.

2013: Company Founded. Closure of original company.