Ask HN: Billion dollar companies sitting on security bugs since 4 months
We are a small 3-month-old security startup. We take an annual payment and discover security issues in customer properties and report them. We discovered a series of severe bugs related to authentication (oauth, account hijack, overwrite), payments(free orders, wallet hijack, partial credit card info leak), user data leaks (including unsalted password hashes, addresses, email, phone, order histories) apart from the regular XSS, injection issues etc. and reported it to the respective companies 4 months ago. Most of the companies are startups based out of India (almost all of them worth $100m+ and 8-9 of them $1b+ companies). The companies have neither fixed the bugs nor informed their users about a possible breach that might have happened before we found out.
Should we release the bugs in public? We are thinking of making a small dashboard which will display the companies and days left before the bugs will automatically become public. What are our options? Ideally, we would like to convert them to paying customers after they fix their current issues, but they are not even fixing them.
2 comments
[ 2.0 ms ] story [ 16.5 ms ] threadIf your intentions to help are sincere, you must get face-time with a true decision maker at the C-Level. They may not have your expertise, so you must show them personally & privately why this is a problem. The public shaming tactic would likely backfire, and possibly be viewed as extortion.