
Ethical vulnerability disclosure - ukmar
In a mobile application (sort of ebay) with 10 000+ download on Google Play I found some vulnerabilities that allowed me to find sensitive information about the buyers and their purchase. I was also able to find a vulnerability that allowed me to find seller information, every sale that they made and manipulate their items.
I have contacted them by email and telling them that they have vulnerabilities and what was possible if someone exploited them.
They have not replied yet.
If they reply to my email is it ok if i ask for money to disclose the other information?
If they do not reply should I make this info public?
P.S. I do not want to make such info public.
======
wepple
For starters, the ethics of vulnerability disclosure are such a broad subject,
you're going to get 10 very different answers.

A generally common approach is:

* try to contact them via phone/email

* if no response, contact a CERT and see if they care

* wait a while (90 days? 3 months? up to you)

* if no response; disclose publicly

Asking for money? big nope. If you genuinely want to have this problem fixed,
get it fixed. If you want to make money from finding bugs, enter bug bounty
programs.

Please don't try to manipulate them into giving you money, it only serves to
deeply hurt the reputation of people working in the often very difficult field
of vulnerability research and disclosure.

Edit: bullet points not working.

Edit2: be careful with the way you report these vulns. If you've tampered with
variables in an API for example, that could constitute 'hacking' and they may
come at you will full force and lawyers. In that case you may want to use a
proxy (a human proxy).

~~~
ukmar
Honestly I don't care if they fix it or not.

I am not even going to make anything public.

