Found a bug on a 3rd party service, which allows unauthorised data manipulation. Reached out to the team saying I would like to report an issue and asking them what is the medium to report as it is sensitive to post/report publicly.

No one cares to respond even after 2 days.

I guess security is just a fancy word to speak about but no one truly cares.

  • 9
    Just publish it, maybe they'll take care after that...
  • 1
  • 4
    @arunnalla I'm serious. If they won't respond in private, making this public has them go into panic mode.
  • 4
    @kescherRant Hmm, I do not know.. will write to them again maybe before I leave work today, and still, if they do not respond tomorrow then I will think about this.
  • 12
    @arunnalla Companies which don't respond quickly to vulnerabilities need to be taught the hard way.
  • 0
    It could be that no one is checking those emails so you might need to get actual human email in your hands and sent it there.
  • 1
    Send the email again with link leading to public website describing the vulnerability
  • 2
    @PaszaVonPomiot is right. The initial "I found a vulnerability" report needs a few pieces of information to protect yourself:

    - A short description indicating vulnerability found, and risk to customers
    - A deadline to respond (i.e. 7 days)
    - A statement that you'll publish online if they don't respond in time, in an effort to protect our customers.

    If they miss the deadline, publish it, promote it, and even share it here. Many of us will republish links to it. I've done this several times.
  • 2
    Update: They have acknowledged the bug and are working on fixing it.
Add Comment