

Ask HN: Worth following up? Publicly facing root passwords on a Fortune 100 - JungleCats

Hey there guys!
Sorry if this isn't the normal style for posts, I haven't been on here long.<p>Essentially, I recently found a publicly facing document which detailed ALL of the root passwords for a Fortune 100 company. (Amongst other things, it was an open directory which also included all of the staff VPN passwords, and other sensitive information including SQL backups). I immediately reported this issue to them. I was told they would get back to me, and after reporting the issue I have sent multiple followup emails and have been selectively ignored. (I stumbled upon the root passwords completely by accident while looking around Google for information relating to an unrelated company). They have now removed the documents in question, (though they are still cached by Google). Should I let this go? I'm not sure whether it's worth pursuing. I don't want recognition, or hush money. I would have been content with a thank you, and I would have called it a day. Oh, and if it is relevant I sent my first email on January 23rd.
======
eurodance
Unless there is a bug bounty-type program in place, I wouldn't expect an email
back. You're wasting your time. I've had the same results as you in the past.
I don't even report them anymore.

~~~
JungleCats
Slightly off-topic, but check out this great email from PayPal today.

Hi JungleCats,

Thank you for your participation in the PayPal Bug Bounty program.

While we continue to review each vulnerability we receive on a case-by-case
basis, we have determined that this bug is not eligible for payment based on
the fact the website is in the process of being decommissioned and will be
shut down in the near future.

Thank you, PayPal Security Team

 _yawn_

------
alexdevkar
In this area, no good deed goes unpunished. It sounds silly, but you have to
be careful.

~~~
JungleCats
Yeah, I absolutely see where you are coming from.

I considered just emailing the CEO and being all "Hey, thought you should be
aware that I've sent multiple emails and just wanted to ensure you are
informed"

------
snowwrestler
It's rude not to email you back, but then again they don't know who you are or
for sure how you got that info--all they know is that you have their sensitive
data. Some lawyer probably advised them to act on the info but not communicate
with you.

You've done a Good Thing, but like many good things, it will most likely go
unrewarded.

~~~
JungleCats
Yeah, I guess you are right. It's more that I expected a simple "Thanks" for
ensuring that they didn't end up on the front of the New York times at some
stage.

~~~
logn
Fortune 100 companies are definitely aware that anything in email is evidence.
I doubt anyone wants to admit negligence or anything. And by offering you some
big thanks they only validate that they were real passwords and not some junk
data.

For an enormous corp to take down a file in a couple of weeks is thanks and
recognition enough I think.

------
pasbesoin
I once reported password exposure via browser caching in the login form of one
of those "too big to fail" banks. (I called it in.)

I never heard anything back, but a month or so later, it was fixed.

I'm glad it was some years ago. These days, I think I'd fear that their legal
team would seek to have me criminally charged and/or bankrupted, regardless.
(Don't look at the password caching; that's "hacking".)

I guess you did a good thing. In this day and age, though, I almost wish they
were named, as such behavior represents an extreme form of negligence. (I am
_not_ advising you to reveal them, though. See, for example, my previous
paragraph.)

