Ask HN: How should site owners respond to complete data compromise?

4 points by ivanstojic ↗ HN
I hacked a local social networking site here in Croatia. I was looking into the innards of how one of their features works and while tampering with HTTP I accidentally sent a request with a semicolon in one of the fields. The rest is history: full access to their database, files, etc...

I informed the site owners immediately and they fixed the hole within a day or so, while expressing gratitude and surprise that somebody would go out of their way to describe the depth of the security problem, etc...

But during the talks with their tech team I realized that they have been aware of the hole for at least two years and had no idea if anyone ever exploited it. What's worse they were not going to disclose the hack in any way.

Considering that this was a hole that'd let you fetch all the data just like the POF hack, and considering that there might have been sensitive user data leaked, I'm questioning the wisdom of their choice of keeping the lid on things.

What does HN think: how should site owners respond to such complete failures of security? What would you do?

2 comments

[ 2.8 ms ] story [ 18.1 ms ] thread
If a bug in my code put my customers' data at risk, I would fix the vulnerability; make sure I fully understood its scope; make sure there were no other similar bugs; write a blog post alerting the world to the problem and providing any mitigation strategies; and email all my customers to make sure they saw the blog post.
I'd upvote this twice if it were possible :)