
Ask HN: Billion dollar companies sitting on security bugs since 4 months - sec_throwaway
We are a small 3-month-old security startup. We take an annual payment and discover security issues in customer properties and report them. We discovered a series of severe bugs related to authentication (oauth, account hijack, overwrite), payments(free orders, wallet hijack, partial credit card info leak), user data leaks (including unsalted password hashes, addresses, email, phone, order histories) apart from the regular XSS, injection issues etc. and reported it to the respective companies 4 months ago. Most of the companies are startups based out of India (almost all of them worth $100m+ and 8-9 of them $1b+ companies). The companies have neither fixed the bugs nor informed their users about a possible breach that might have happened before we found out.<p>Should we release the bugs in public? We are thinking of making a small dashboard which will display the companies and days left before the bugs will automatically become public. What are our options? Ideally, we would like to convert them to paying customers after they fix their current issues, but they are not even fixing them.
======
JSeymourATL
> Ideally, we would like to convert them to paying customers after they fix
> their current issues...

If your intentions to help are sincere, you must get face-time with a true
decision maker at the C-Level. They may not have your expertise, so you must
show them personally & privately why this is a problem. The public shaming
tactic would likely backfire, and possibly be viewed as extortion.

------
herbst
Sounds reasonable imho.

