
Ask HN:How to warn a company about the security issues if they refuse to listen? - system2
Hello all,<p>While I was visiting a client, I found out a neighbor has a massive security problem with their online services. It was by luck, I didn&#x27;t even use hard tools to find it. I am sure real foreign hackers wouldn&#x27;t stop where I stopped after seeing everything by luck. I didn&#x27;t do anything malicious, not even tried to penetrate them as I am afraid of any kind of legal responsibility.<p>This company is working with very large enterprises, as well as the government&#x2F;defense etc.<p>----<p>I tried to contact their executives via LinkedIn, I got no response. (3 people).<p>I sent 5 emails to their executives after finding their email addresses from various business listing sites. Only one answered to my detailed email saying: &quot;I will forward this email to our IT, if we need your help, we will let you know.&quot; And this person didn&#x27;t even ask the details nor replied my emails any further.<p>---<p>It has been 2 weeks, they didn&#x27;t do anything about the security issues they have with their software. Their incredibly loose system allowing:<p>-local network and all computers<p>-backups<p>-every client they ever had<p>-clients invoice<p>-manipulate data of orders and machines<p>-their core software Database, with full read&#x2F;write possibility with no restriction or logging<p>-most importantly, all of their connected client&#x27;s local IP addresses and so on.<p>---<p>I sent them another email today, they seem to ignore. I am extremely baffled that a company can ignore such a warning and don&#x27;t take action.<p>---<p>What should I do? I wasted enough time typing them detailed emails.
======
mindcrime
I'd say "forget it, move on, and delete any evidence that any of this ever
took place." You stand to gain nothing from this whole exercise, while the
downside risk is that you get weev'd[1].

Screw 'em, you don't owe them anything. And if they don't want to fix the
issue, it's not your problem.

[1]: [https://en.wikipedia.org/wiki/Weev](https://en.wikipedia.org/wiki/Weev)

~~~
Isammoc
Sadly, the laws seem to enforce your position. The incentives are biased...

It is a shame that we don't have an organisation, a foundation about this
subject.

A place, a website to tell such a risk for user privacy.

Perhaps the RGPD from EU can help?

------
davismwfl
If you wanted to try one more thing, if they are actually working with the
U.S. government (and most Countries probably have similar options) there are
places you can report them, generally anonymously. Contractors are required to
maintain secure systems, even things you would never think of, and U.S.
Defense contractors are especially at risk if they do not.

I do disagree with one comment here. I would NOT delete your attempts to warn
them. You deleting this could be worse for you later, or be seen as you
deleting "evidence". As long as you are not doing anything illegal yourself,
and you have done nothing to harm this company than you are safer to keep the
records. If you do not, and you delete them, you have no proof and they could
make later claims against you. Just my 2 cents, but IANAL.

*edit fixed a word

~~~
system2
No, of course, I won't delete my messages or emails I sent. In the end, their
security is so loose, it is very easy to prove in less than a minute how easy
to enter their servers with no credentials even if they blame me for anything
random.

I am moving on! I hope this thread helps the next person who is having
somewhat similar situation.

------
gtsteve
Perhaps you could identify members of their technical team via LinkedIn or
whoising their domain name, or others they own. You might find that the CAA
record contains the e-mail address of a security manager for example. You
could perhaps try to figure out their e-mail address scheme and contact
members of the IT team. You probably need to get past the executive outer
shell and speak to real technical people who will understand the gravity of
the situation.

But aside from that, I can't think of a legal way to proceed. You could of
course access customer data and then contact an important customer directly in
an anonymous fashion. That'd light a fire under them but you would almost
certainly be in violation of the law. The fact that you've already contacted
them, presumably using your real-world identity would put you under suspicion
swiftly.

But as others have said, what's in it for you? I'd personally file this under
"not my problem" at this point.

~~~
jamieweb
Looking at the CAA record for the IODEF contact email is a great idea, but
unfortunately the sort of organisations who don't have published security
contacts are also incredibly unlikely to use or even know what CAA is.

Could try emailing security@, hostmaster@?

~~~
system2
I contacted someone and that person responded already as I stated in the
details above. That person is a C-level and didn't even bother asking me about
anything. I move on, I tried to help.

------
mgliwka
Contact the CERT, they can help you out with establishing a line of
communication:
[https://www.kb.cert.org/vuls/report/](https://www.kb.cert.org/vuls/report/)

Do it anonymously, if you fear backlash.

------
Spooky23
You fulfilled your moral obligation, and cannot solve the problems of the
world.

Shake your head and move on!

------
barry0079
While it doesn't benefit you in the long term and you run risk of being blames
as others have said. Try contacting the government considering they seem to
utilize their services. I think they're much more likely to take it seriously.

