Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Unfixed responsible disclosure for 6 months
6 points by vulnfinder on Aug 18, 2015 | hide | past | favorite | 3 comments
Hi HN, so I'm a "security researcher" in my part time, finding bugs here and there (mostly XSS stuff, so no actual researcher, just a junior dev finding obvious issues)

Going to start working at a big company soon after enjoing startup life.

After signing the employment contract I took a look at their website and discovered multiple XSS vulns. I can basically inject arbitrary HTML into the page, so display different content, redirecting, everything possible.

I reported it through their responsible disclosure form, got no reply, followed up 1 month (!) later, they said they got the email, but now almost 6 months later it's still not fixed. It feels ridiculous and really makes me question the company (XSS for so fucking long, this must be a joke. Startup I used to work at fixed issues within 20 minutes - 1 day).

So HN, what would you recommend to do in this situation. Escalating further seems a bit risky, considering they could terminate me, but 6 months feels like a joke/insulting. Or all moral obligations dealt with after making them aware of the issue?




Hmmm...that's troubling. Are you sure they understand the ramifications of the bug? Let's assume they're rational actors and for some reason have made the decision that this particular bug is lower priority than whatever-else they're working on. I think your challenge is to thoroughly/patiently explain why this bug is important and actually worth looking into.

But I doubt it's worth losing your job over, so once you've asked twice, I'd probably drop the issue. If the vulnerability ever gets used by an attacker your multiple disclosures will come to light, and hopefully they'll pay more attention to you next time. Some people would rather learn lessons the hard way, and it's not always your responsibility to save them from themselves, ya know?


submit a pull request? find the dev who wrote it and ask if you can help get it patched? file an bug? same thing as finding any other type of bug, really. Just avoid sounding like an ass and you might make traction.

As a corollary: consider creating a better PoC for the bug.


Yeah if I would be working there it would be easy, have filed a lot of vuln reports/PR'd in the past at the startups I worked at. But the employment contract was signed months ago and I'm not starting until soon, so can't file a bug report/contact a developer/create a PR.

The PoC is literally a URL, you open it and it shows arbitrary content injected by me through a query parameter. No user interaction required, no fields to enter, no login. They just forgot to sanitize their output, which seems quite easy to detect and fix.

Thanks for your reply though.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: