
Ask HN: Found rideshare app security leak but their bug bounty is invite-only - hanging
I noticed an ugly, stupid bug in 2FA for a major rideshare app.  I noticed it and reproduced it on another device while recording it.  I checked their developer page, but their bug program is invite-only (everybody else gets dumped to a generic message page).  What to do?
======
Bucephalus355
Try sending an SOS message through LinkedIn. You can add up to 300 characters
in your invite.

Also you can call them. There was a case 4 months ago with me where I had to
reach out to a secretary (person who answered the phone) and tell her very
calmly to put me through to the CEO and that no I wasn’t trying to sell
anything.

Looking back on it I could have just had her take down a message, that works
too...

Also thanks for trying to reach out despite such difficult. Hopefully in a few
years there will be a law that every registered website, or say every LLC that
meets XYZ criteria has to have a cyber person on file with the state. There
could be firms that have cyber ppl and you could pay them $300/month to
register with them to use one of their agents.

------
sumitsrivastava
Send a mail to the CEO, cc'ing the VP of engineering and/or the CTO.

~~~
laken
This has worked for me, especially for startups. It doesn't take long to find
the CEO's email.

------
eyeareque
security@company.com will usually get you a person that knows how to handle
these reports.

