bragging about security is definitely increasing the likelihood that some random guy will say "oh yah, we'll see about that" in response to a marketing campaign centered around security.
If Some Random Guy can just happen to compromise the processes described here after reading a few hundred word blog post, they should probably just go after every browser root cert program which use almost identical procedures and have also described them openly.
Why go after Monzo when you can go after XYZ root cert trusted by every device out there?
because one initiated a marketing campaign about their security so as to get some attention and find a different vulnerability the company didn't know about.
Publicly describing your security procedures is common (and encouraged) practice in infosec. See CloudFare, Mozilla, Google, etc. who have all publicly described various security procedures (including key signing and key management).
If you could actually do anything based on the knowledge here, you would go after a browser root cert because your hack would be exponentially more effective.
I wouldn't do anything, but I also wouldn't do a security driven marketing campaign. If someone thinks their root cert is safe it doesn't mean there isn't some other way to get access to user credentials that could allow compromise through some other avenue.
edit since I can't reply down level further: Yes I would be very careful about security related marketing and really consider if its necessary at all.
>it doesn't mean there isn't some other way to get access to user credentials
You can always be hacked in some other way, so I guess we should never write anything about security ever?
>edit since I can't reply down level further: Yes I would be very careful about security related marketing and really consider if its necessary at all.
Interestingly, the security people at Google, Cloudfare, Microsoft, and just about every other major tech company (and security company, certificate authority, etc.) agree that openly talking about security best practices is.. well.. A best practice. And that keeping security practices secret (obscure, you could say) benefits no one.
Not sure why you have to shoe-horn marketing in every comment, literally anything a company posts is arguably considered marketing, what's your point?
I hope this post doesn't come across as a brag as it's not meant to be, being arrogant about security only ends one way after all...
I published this because I want to be open about how we do these things, because I think we safely can be and it shows that we care and don't just pay lip-service to security
If you'd like to show us up for our security though, please do peek at our HackerOne program. I'm a program admin on it and I'd love to read more interesting reports https://hackerone.com/monzo <3 (I know it doesn't have a paid bounty yet, I'm advocating for it)
it comes off as marketing based on security which is no different than bragging in my opinion. You have a program for dealing with security vulnerabilities - clearly this blog post was to tell people about how good your security is. It's marketing.
