Ask HN: How to disclose vulnerability to non responsive company?

43 points by OberonXanatos ↗ HN
While fooling around with Fiddler looking at data going in to and out of my phone, I discovered an application with a serious data leak.

The leak includes customers private and personal information such as height, weight, address and phone numbers including that of my wife.

No one seems to take the data leak seriously and it is a simple IDOR on their API.

While I had thought about probing deeper, I did not want to get tangled up into any legal trouble and stopped immediately.

I have been unsuccessfully trying to contact anyone at the company that will listen. I have Tweeted, Emailed and tried calling the contacts I see available on their main page and developers on LinkedIn and I received one reply from an automated ticketing system and no call back from my voicemails.

Is there an easier way to disclose a vulnerability like this without risking legal actions? The company is not on HackerOne and I feel that when a young company receives news like this they will either go on the attack or respond in kind.

Is it worth just forgetting the whole thing removing my accounts and moving on?

18 comments

[ 3.1 ms ] story [ 43.9 ms ] thread
How long have you given them so far?
I have been sending emails asking for a place to disclose the issue since January.
45 days is a pretty reasonable and standard amount of time to give them after you attempted to notify them:

https://www.cert.org/vulnerability-analysis/vul-disclosure.c...

You might give them that amount of time, inform them you're going to disclose, and if they're still unresponsive, you did your due diligence trying to disclose responsibly and I think it's ok for you to publish.

I have read through cert.org and it is an excellent resource for responsible disclosure guidance and have been looking for a third party to disclose on my behalf in order to avoid legal trouble should the take the news in a twisted way.

I actually submitted a report to their site back in January and received a reply that they "Typically avoid publishing or handling vulnerabilities that affect live websites"

You could remove your accounts and move on but that does nothing for their other customers.

Depending on how much time you've given them this sounds like a perfect candidate for the Full Disclosure mailing list, just post anonymously.

Full disclosure mailing list seems intriguing, I have not actually thought of this before. Are companies generally receptive to this kind of disclosure. If someone maliciously dumps all their customer records and posts them on pastebin is it likely that I may get in legal trouble?
Were you to post to full-disclosure, you'd probably not see a lick of trouble. You exercised due diligence. You gave them more than ample time to acknowledge the bug, and they continue to have a flaw that allows arbitrary people to see personal information.

Then again, given the information you've given, there's a different route you can probably take. This sounds very much like a HIPAA violation, and the federal government takes those very seriously. Report it here:

http://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/i...

if they are a health entity that would fall under HIPAA rules.

Companies being generally unreceptive to this kind of feedback is partly why full disclosure is so necessary. If they won't treat a security incident with the importance it deserves its time to elevate it to a PR incident by posting to full disclosure.
To clarify, posting data that you exfiltrated crosses a line and you shouldn't do this. Publishing a proof of concept for the exploit instead is widely considered acceptable especially when the publisher attempted to contact the vendor and got a wall of silence.
When I get no response from a company, I always fax a letter to the company CEO and without fail I get action.
Give them a deadline to take action and make clear that you will publish details if no action has been taken until then.

If they threaten you, contact a few well-reputed security research companies and ask them if they want to handle that case for you. They have experience dealing with such situations and a name that will make every company think twice about threatening them with lawyers.

On a tangent, but how does a security researcher get money in such cases when one is not even able to get that fixed without even asking for money?
You don't (at least not legally).

The money is given as an incentive from companies which takes security seriously. It is used to persuade you to disclose the vulnerability to them rather than selling it on black market as 0-day.

I wouldn't trust any form of electronic communication for anything like this. It's not nearly robust enough.

I'd use post. Like, printed stuff on actual paper. If you send something to their business address as registered mail, not only do you get proof that you sent it, you also get proof that they received it. It's much less likely to be ignored.

You have every right to look at data going in and out of your phone. This is different from finding a vulnerability on a web site. You can't be accused of "hacking" their web site.

I've had this problem with iDrive, the backup program. If you use their web interface, they send the encryption key to the server as plain text and decrypt at their end, not in the browser. They denied this when I told them about it. I sent them dumps of the web traffic.