Ask HN: How to disclose vulnerability to non responsive company?
The leak includes customers private and personal information such as height, weight, address and phone numbers including that of my wife.
No one seems to take the data leak seriously and it is a simple IDOR on their API.
While I had thought about probing deeper, I did not want to get tangled up into any legal trouble and stopped immediately.
I have been unsuccessfully trying to contact anyone at the company that will listen. I have Tweeted, Emailed and tried calling the contacts I see available on their main page and developers on LinkedIn and I received one reply from an automated ticketing system and no call back from my voicemails.
Is there an easier way to disclose a vulnerability like this without risking legal actions? The company is not on HackerOne and I feel that when a young company receives news like this they will either go on the attack or respond in kind.
Is it worth just forgetting the whole thing removing my accounts and moving on?
18 comments
[ 3.1 ms ] story [ 43.9 ms ] threadhttps://www.cert.org/vulnerability-analysis/vul-disclosure.c...
You might give them that amount of time, inform them you're going to disclose, and if they're still unresponsive, you did your due diligence trying to disclose responsibly and I think it's ok for you to publish.
I actually submitted a report to their site back in January and received a reply that they "Typically avoid publishing or handling vulnerabilities that affect live websites"
Depending on how much time you've given them this sounds like a perfect candidate for the Full Disclosure mailing list, just post anonymously.
Then again, given the information you've given, there's a different route you can probably take. This sounds very much like a HIPAA violation, and the federal government takes those very seriously. Report it here:
http://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/i...
if they are a health entity that would fall under HIPAA rules.
If they threaten you, contact a few well-reputed security research companies and ask them if they want to handle that case for you. They have experience dealing with such situations and a name that will make every company think twice about threatening them with lawyers.
The money is given as an incentive from companies which takes security seriously. It is used to persuade you to disclose the vulnerability to them rather than selling it on black market as 0-day.
I'd use post. Like, printed stuff on actual paper. If you send something to their business address as registered mail, not only do you get proof that you sent it, you also get proof that they received it. It's much less likely to be ignored.
I've had this problem with iDrive, the backup program. If you use their web interface, they send the encryption key to the server as plain text and decrypt at their end, not in the browser. They denied this when I told them about it. I sent them dumps of the web traffic.
http://www.dmlp.org/blog/2013/government-responds-dmlp-amicu... http://www.wired.com/2013/03/att-hacker-gets-3-years/