

Ask HN: How Long to Wait with Responsible Disclosure? - josephwegner

So, I found a pretty serious vulnerability in a major website.  I won&#x27;t go into great detail, but the vulnerability makes it terribly easy for a malicious user to harvest usernames &amp; passwords in plaintext.<p>The offending site has not published a responsible disclosure agreement anywhere. I sent them an email letting them know about the issue, and would like to give them time to respond to&#x2F;fix the issue.<p>How long would you usually wait before publicizing something like this? I don&#x27;t want to throw them under the bus, but I also recognize that public pressure usually speeds up the response time.
======
dougbarrett
who exactly did you contact? I know that sometimes the 'Contact Us' forms can
go to a CS team member, then just added to the dev queue...but if you send it
directly to the CEO or to the board (if they have one) then it will be fixed
very quickly.

