Ask HN: How long to give a website to fix their security flaw?

3 points by lmai ↗ HN
How long should one give for a website to fix their security flow before warning their customers? Corollary: How should it be done since I can't reach out to their customers?<p>Background: The hack is simply changing the id variable in the url. It's a serious bug as you can view some of my photos from my various social networks. This could be detrimental to the VC backed company as they just did a Groupon-type deal (which is how I came to be a customer).

2 comments

[ 3.4 ms ] story [ 16.4 ms ] thread
Send a high priority email to their customer support (or alike), wait 24 hours, if no response is received then tell the customers (blog post? forum thread? hnews/reddit?).

If response is received wait a week or so and, again, check for the existence of the exploit.

Thanks. I was thinking giving them the weekend.