Ask HN: Remote hole and us law

2 points by STSW ↗ HN
Hi, imagine you find yourself in the position of finding one of the biggest remote hole in the cloud of one of the most popular tech company out there. You don't want to make money with it - you just want to solve this stuff with the right person but you know that the size of he topic could be overwhelming the employee behind the security email address and you need to find a high executive to really solve this.

Just write a mail to there security email address and pray that they do there job with already knowing that they will take up to >100 days in he past to react on issues?

Who to reach out or find the right person in the company?

Besides that, I'm not 100% familiar with us law but was the risk from law point of view if you report a remote hole?

Best

S

2 comments

[ 3.7 ms ] story [ 13.7 ms ] thread
If you don't want to deal with the company directly, get in touch with CERT and they'll liasion with the vendor for you.

I, personally, would just post the details to full-disclosure, but not everyone agrees with that.