
Ask HN: How to Deal with Companies Ignoring Responsible Disclosure Terms? - tomglynch
I have followed the responsible disclosure model to make companies aware of security vulnerabilities in their software. Some of these includes being able to view private user information. As part of the process I request companies to alert their users that their data may have been breached. If companies do not follow this request, what should I do?
======
Bucephalus355
Do companies actually fix the bug/vuln you identify? If so, I’m amazed that
they even do that, and I would accept that as a “good enough” win.

Regarding disclosure, although this sounds like a lame position, I would wait
for the courts to decide. There are a lot of cases winding their way through
the Circuit Courts in the US that will give us a framework for disclosing and
when to do it regardless of The actions of any Federal agency.

If they don’t agree to fix the bug, by all means “name and shame”. Document
all your interactions with them though.

Also if it’s medical data remember HIPAA has a breach notice that applies in
all 50 states so there is that.

Also also, after the bug has been fixed there is nothing to stop you from
writing a blog post and letting the “media” pick it up naturally as part of
the news cycle.

NOTE: I have CISSP and CASP so I think that means something

