
Ask HN: How to disclose vulnerability to non responsive company? - OberonXanatos
While fooling around with Fiddler looking at data going in to and out of my phone, I discovered an application with a serious data leak.<p>The leak includes customers private and personal information such as height, weight, address and phone numbers including that of my wife.<p>No one seems to take the data leak seriously and it is a simple IDOR on their API.<p>While I had thought about probing deeper, I did not want to get tangled up into any legal trouble and stopped immediately.<p>I have been unsuccessfully trying to contact anyone at the company that will listen.  I have Tweeted, Emailed and tried calling the contacts I see available on their main page and developers on LinkedIn and I received one reply from an automated ticketing system and no call back from my voicemails.<p>Is there an easier way to disclose a vulnerability like this without risking legal actions? The company is not on HackerOne and I feel that when a young company receives news like this they will either go on the attack or respond in kind.<p>Is it worth just forgetting the whole thing removing my accounts and moving on?
======
bascule
45 days is a pretty reasonable and standard amount of time to give them after
you attempted to notify them:

[https://www.cert.org/vulnerability-analysis/vul-
disclosure.c...](https://www.cert.org/vulnerability-analysis/vul-
disclosure.cfm)

You might give them that amount of time, inform them you're going to disclose,
and if they're still unresponsive, you did your due diligence trying to
disclose responsibly and I think it's ok for you to publish.

~~~
OberonXanatos
I have read through cert.org and it is an excellent resource for responsible
disclosure guidance and have been looking for a third party to disclose on my
behalf in order to avoid legal trouble should the take the news in a twisted
way.

I actually submitted a report to their site back in January and received a
reply that they "Typically avoid publishing or handling vulnerabilities that
affect live websites"

------
Animats
You have every right to look at data going in and out of your phone. This is
different from finding a vulnerability on a web site. You can't be accused of
"hacking" their web site.

I've had this problem with iDrive, the backup program. If you use their web
interface, they send the encryption key to the server as plain text and
decrypt at their end, not in the browser. They denied this when I told them
about it. I sent them dumps of the web traffic.

~~~
OberonXanatos
Interesting, I always worry about how companies may be able to twist the law
if they see someone reporting a data leak and they loose money because of bad
publicity.

[http://www.dmlp.org/blog/2013/government-responds-dmlp-
amicu...](http://www.dmlp.org/blog/2013/government-responds-dmlp-amicus-brief-
united-states-v-auernheimer) [http://www.wired.com/2013/03/att-hacker-
gets-3-years/](http://www.wired.com/2013/03/att-hacker-gets-3-years/)

------
click170
You could remove your accounts and move on but that does nothing for their
other customers.

Depending on how much time you've given them this sounds like a perfect
candidate for the Full Disclosure mailing list, just post anonymously.

~~~
OberonXanatos
Full disclosure mailing list seems intriguing, I have not actually thought of
this before. Are companies generally receptive to this kind of disclosure. If
someone maliciously dumps all their customer records and posts them on
pastebin is it likely that I may get in legal trouble?

~~~
click170
Companies being generally unreceptive to this kind of feedback is partly why
full disclosure is so necessary. If they won't treat a security incident with
the importance it deserves its time to elevate it to a PR incident by posting
to full disclosure.

~~~
click170
To clarify, posting data that you exfiltrated crosses a line and you shouldn't
do this. Publishing a proof of concept for the exploit instead is widely
considered acceptable especially when the publisher attempted to contact the
vendor and got a wall of silence.

------
david-given
I wouldn't trust any form of electronic communication for anything like this.
It's not nearly robust enough.

I'd use post. Like, printed stuff on actual paper. If you send something to
their business address as registered mail, not only do you get proof that you
sent it, you also get proof that they _received_ it. It's much less likely to
be ignored.

------
insomniacity
How long have you given them so far?

~~~
OberonXanatos
I have been sending emails asking for a place to disclose the issue since
January.

~~~
teamhappy
Google gives vendors 60 days IIRC. Pick a list and publish:
[http://seclists.org/](http://seclists.org/)

~~~
OberonXanatos
Much appreciated I had not thought of this route and you saved me a google
search.

------
jlg23
Give them a deadline to take action and make clear that you will publish
details if no action has been taken until then.

If they threaten you, contact a few well-reputed security research companies
and ask them if they want to handle that case for you. They have experience
dealing with such situations and a name that will make every company think
twice about threatening them with lawyers.

------
sacurity
On a tangent, but how does a security researcher get money in such cases when
one is not even able to get that fixed without even asking for money?

~~~
takeda
You don't (at least not legally).

The money is given as an incentive from companies which takes security
seriously. It is used to persuade you to disclose the vulnerability to them
rather than selling it on black market as 0-day.

------
PythonDeveloper
When I get no response from a company, I always fax a letter to the company
CEO and without fail I get action.

