
Ask HN: Should I report ESTA (esta.cbp.dhs.gov) security bug? How? - dandare
While filling out the ESTA application at https:&#x2F;&#x2F;esta.cbp.dhs.gov&#x2F;esta&#x2F;application.html, after the form refreshed I was suddenly shown someone else&#x27;s personal information.<p>I reported the security bug via https:&#x2F;&#x2F;help.cbp.gov&#x2F;app&#x2F;forms&#x2F;complaint but I got a totally irrelevant response, no human probably read my message.<p>I would like to genuinely help the devs behind the site but I am also concerned about retributions from egotripping CBP officers.  What are my options?
======
dvtrn
First entity that comes to mind that _might_ be in a position to at least get
the right eyes and attention to it, if not outright resolve it would be
18F[1]; that's just a guess-though this seems right up their alley. I believe
there are a couple of employees here on HN.

[https://18f.gsa.gov/](https://18f.gsa.gov/)

------
ab
If there's not an obvious security contact at the agency, you can always
report vulnerabilities to US-CERT, which has overall responsibility for
connecting reporters to the right responders. [https://www.us-
cert.gov/](https://www.us-cert.gov/)

This links to the report form at
[https://www.kb.cert.org/vuls/govreport/](https://www.kb.cert.org/vuls/govreport/)

As with all vulnerability reporting, it's much more likely that someone will
take action on your report if you can provide evidence or a reproducible proof
of concept.

18F/TTS can sometimes direct reports to the right place, but it's really not
their job to do so.

------
Matt_Cutts
Some US Digital Service folks know people at DHS CIO and passing this on.

