Please help me handle a security vulnerability

23 points by iinnPP ↗ HN
In 2018 I discovered a security vulnerability and worked with both government and business to try to correct the issue. After 6 months of phone calls and emails, I opted to accept their proposed fixes and left the entire thing in the hands of the Government of Canada. My feedback was ignored entirely. I wasted ~100 hours and for that I got precisely nothing.

On December 21, 2022 I required use of the service in question and once again found a security problem. The same problem.

On December 21, 2022 I noted several pieces of evidence which indicate active exploitation of the vulnerability.

On December 21, 2022 I contacted: CBC, The business, NDP, and the OPC. To date, none of them have contacted me except for automated responses. I get that it's Christmas but over a week just to hear anything from any human from any of those organizations? Nothing.

At the most severe, the security vulnerability threatens life and limb. It impacts approximately 2,000,000 people directly and I would estimate the total impact in the 10s or 100s of millions of people. It impacts people globally.

It's causing me too much stress. If you are in a verifiable position of power in Canada, please indicate how I can get in touch with you.

Otherwise, please, any advice you have on how I can get rid of this curse without harming anyone is greatly appreciated.

9 comments

[ 14.4 ms ] story [ 337 ms ] thread
Is it a vulnerability in a business or in a government service/dept?
Business. I cannot name them without exposing the vulnerability.
If you think that revealing the name of a business discloses the vulnerability, then I question whether you are using "vulnerability" in the standard way or that what you have found is a vulnerability as understood by the software community.

Unfortunately many people do this, thinking that a potential bad outcome of a business process is a "vulnerability" - perhaps they are using vulnerability in the non-technical sense, as in "we're vulnerable to supply chain disruptions".

It'd be more productive to contact the vendor(s) of the software unless the software has been developed in-house.
Just leave it and move on with your life.
Get a lawyer to inform them about this if you can, they know how to get them to listen.
krebsonsecurity@gmail.com

Ask to remain anonymous, and do your best efforts to reach out without disclosing personal information.