Ask HN:How to warn a company about the security issues if they refuse to listen?

14 points by system2 ↗ HN
Hello all,

While I was visiting a client, I found out a neighbor has a massive security problem with their online services. It was by luck, I didn't even use hard tools to find it. I am sure real foreign hackers wouldn't stop where I stopped after seeing everything by luck. I didn't do anything malicious, not even tried to penetrate them as I am afraid of any kind of legal responsibility.

This company is working with very large enterprises, as well as the government/defense etc.

----

I tried to contact their executives via LinkedIn, I got no response. (3 people).

I sent 5 emails to their executives after finding their email addresses from various business listing sites. Only one answered to my detailed email saying: "I will forward this email to our IT, if we need your help, we will let you know." And this person didn't even ask the details nor replied my emails any further.

---

It has been 2 weeks, they didn't do anything about the security issues they have with their software. Their incredibly loose system allowing:

-local network and all computers

-backups

-every client they ever had

-clients invoice

-manipulate data of orders and machines

-their core software Database, with full read/write possibility with no restriction or logging

-most importantly, all of their connected client's local IP addresses and so on.

---

I sent them another email today, they seem to ignore. I am extremely baffled that a company can ignore such a warning and don't take action.

---

What should I do? I wasted enough time typing them detailed emails.

12 comments

[ 4.4 ms ] story [ 19.1 ms ] thread
I'd say "forget it, move on, and delete any evidence that any of this ever took place." You stand to gain nothing from this whole exercise, while the downside risk is that you get weev'd[1].

Screw 'em, you don't owe them anything. And if they don't want to fix the issue, it's not your problem.

[1]: https://en.wikipedia.org/wiki/Weev

I agree. I am moving on, I am hoping no company gets harmed because of these incompetent people.
Sadly, the laws seem to enforce your position. The incentives are biased...

It is a shame that we don't have an organisation, a foundation about this subject.

A place, a website to tell such a risk for user privacy.

Perhaps the RGPD from EU can help?

Perhaps you could identify members of their technical team via LinkedIn or whoising their domain name, or others they own. You might find that the CAA record contains the e-mail address of a security manager for example. You could perhaps try to figure out their e-mail address scheme and contact members of the IT team. You probably need to get past the executive outer shell and speak to real technical people who will understand the gravity of the situation.

But aside from that, I can't think of a legal way to proceed. You could of course access customer data and then contact an important customer directly in an anonymous fashion. That'd light a fire under them but you would almost certainly be in violation of the law. The fact that you've already contacted them, presumably using your real-world identity would put you under suspicion swiftly.

But as others have said, what's in it for you? I'd personally file this under "not my problem" at this point.

I am not going to try to contact them any further. I was trying to be a good Samaritan since this company also supports the government and many major American companies.

Certainly, I don't want any legal issue randomly because of a loosely secured company while I try to help them for free. As the other commenter indicated, I wish there was a government department which could take care of this type of things.

Looking at the CAA record for the IODEF contact email is a great idea, but unfortunately the sort of organisations who don't have published security contacts are also incredibly unlikely to use or even know what CAA is.

Could try emailing security@, hostmaster@?

I contacted someone and that person responded already as I stated in the details above. That person is a C-level and didn't even bother asking me about anything. I move on, I tried to help.
You fulfilled your moral obligation, and cannot solve the problems of the world.

Shake your head and move on!

While it doesn't benefit you in the long term and you run risk of being blames as others have said. Try contacting the government considering they seem to utilize their services. I think they're much more likely to take it seriously.
If you wanted to try one more thing, if they are actually working with the U.S. government (and most Countries probably have similar options) there are places you can report them, generally anonymously. Contractors are required to maintain secure systems, even things you would never think of, and U.S. Defense contractors are especially at risk if they do not.

I do disagree with one comment here. I would NOT delete your attempts to warn them. You deleting this could be worse for you later, or be seen as you deleting "evidence". As long as you are not doing anything illegal yourself, and you have done nothing to harm this company than you are safer to keep the records. If you do not, and you delete them, you have no proof and they could make later claims against you. Just my 2 cents, but IANAL.

*edit fixed a word

No, of course, I won't delete my messages or emails I sent. In the end, their security is so loose, it is very easy to prove in less than a minute how easy to enter their servers with no credentials even if they blame me for anything random.

I am moving on! I hope this thread helps the next person who is having somewhat similar situation.