

Ask HN: Unfixed responsible disclosure for 6 months - vulnfinder

Hi HN,
so I&#x27;m a &quot;security researcher&quot; in my part time, finding bugs here and there (mostly XSS stuff, so no actual researcher, just a junior dev finding obvious issues)<p>Going to start working at a big company soon after enjoing startup life.<p>After signing the employment contract I took a look at their website and discovered multiple XSS vulns. I can basically inject arbitrary HTML into the page, so display different content, redirecting, everything possible.<p>I reported it through their responsible disclosure form, got no reply, followed up 1 month (!) later, they said they got the email, but now almost 6 months later it&#x27;s still not fixed.
It feels ridiculous and really makes me question the company (XSS for so fucking long, this must be a joke. Startup I used to work at fixed issues within 20 minutes - 1 day).<p>So HN, what would you recommend to do in this situation. Escalating further seems a bit risky, considering they could terminate me, but 6 months feels like a joke&#x2F;insulting. Or all moral obligations dealt with after making them aware of the issue?
======
MalcolmDiggs
Hmmm...that's troubling. Are you sure they understand the ramifications of the
bug? Let's assume they're rational actors and for some reason have made the
decision that this particular bug is lower priority than whatever-else they're
working on. I think your challenge is to thoroughly/patiently explain why this
bug is important and actually worth looking into.

But I doubt it's worth losing your job over, so once you've asked twice, I'd
probably drop the issue. If the vulnerability ever gets used by an attacker
your multiple disclosures will come to light, and hopefully they'll pay more
attention to you next time. Some people would rather learn lessons the hard
way, and it's not always your responsibility to save them from themselves, ya
know?

------
Shamiq
submit a pull request? find the dev who wrote it and ask if you can help get
it patched? file an bug? same thing as finding any other type of bug, really.
Just avoid sounding like an ass and you might make traction.

As a corollary: consider creating a better PoC for the bug.

~~~
vulnfinder
Yeah if I would be working there it would be easy, have filed a lot of vuln
reports/PR'd in the past at the startups I worked at. But the employment
contract was signed months ago and I'm not starting until soon, so can't file
a bug report/contact a developer/create a PR.

The PoC is literally a URL, you open it and it shows arbitrary content
injected by me through a query parameter. No user interaction required, no
fields to enter, no login. They just forgot to sanitize their output, which
seems quite easy to detect and fix.

Thanks for your reply though.

