Ask HN: Should I report ESTA (esta.cbp.dhs.gov) security bug? How?
While filling out the ESTA application at https://esta.cbp.dhs.gov/esta/application.html, after the form refreshed I was suddenly shown someone else's personal information.
I reported the security bug via https://help.cbp.gov/app/forms/complaint but I got a totally irrelevant response, no human probably read my message.
I would like to genuinely help the devs behind the site but I am also concerned about retributions from egotripping CBP officers. What are my options?
3 comments
[ 2.5 ms ] story [ 15.1 ms ] threadhttps://18f.gsa.gov/
This links to the report form at https://www.kb.cert.org/vuls/govreport/
As with all vulnerability reporting, it's much more likely that someone will take action on your report if you can provide evidence or a reproducible proof of concept.
18F/TTS can sometimes direct reports to the right place, but it's really not their job to do so.