
Ask HN: I beleive I found a vulnerability in some software. What should I do? - non-entity
Closed source, propriety stuff. Is it best to let be? It&#x27;s not major, but it does leak credentials that wouldn&#x27;t otherwise be accessible.
======
notlukesky
Email them especially since it is leaking credentials. Let the onus of blame
be on them. Although they might be aware of it and busy patching it already.
They might have contact information or a dedicated security email or security
matters page as well. Perhaps, they might also have a bug bounty program. At
least, you can have bragging rights later on identifying vulnerabilities and
place that on your resume.

~~~
masonic
I had an experience with a major app that had a major 2FA fail. They wouldn't
even look at it unless submitted through Hacker One (I was giving them a
friendly heads-up and sought no compensation).

I spent hours documenting it, writing detailed descriptions, and making a
video of the leak in a live session.

They closed the case with a vague (and unrelated) message within 30 minutes of
its submission.

I deleted their app, never used it again, and don't work with people who do.

