

Ask HN: Is there "security issue notification for dummies?" (I discovered a hole...now what?) - dchest

Pardon me for this question, but I recently discovered a major security issue in OpenWebmail (it gives out full access to users' mailboxes in referrer URL), and I don't know how to handle it. How should people notify security professionals about such issues?<p>I notified one of the providers that uses OpenWebmail about this, and I tried to find contact information on OpenWebmail website, but couldn't.<p>So my question is: how people outside the security community should handle important security information? Should we disclosure it? Should we notify security experts? Websites?<p>Maybe I did a mistake writing about it? :-) I don't know. Please educate me.<p>Thank you!
======
cperciva
Generally the best approach is to contact someone who is part of the security
world -- they'll both know how to approach the right people and have the
credibility to get people to listen.

------
gaius
Contact CERT - www.cert.org

~~~
dchest
Thanks! The contact form is here: <https://forms.cert.org/VulReport/>

edit: and I've submitted the report.

