Hacker News new | past | comments | ask | show | jobs | submit login

Writing "They have a serious vuln" on twitter is not responsible. Try to hack those who have bounties, please leave the others alone, or at least contact them privately when you find a vuln. Give them a chance to fix it, and if you want to be helpful also tell them what the issue is.

>Try to hack those who have bounties, please leave the others alone

Is this a joke?

This is awfully close to "if you see something bad happening, just ignore it" which I find rather ridiculous. I think the morally correct thing to do is inform them privately and, if the owners of the site don't respond (or block you, like in this case), go public so that laypersons know their information is not secure.

IANAL. If you have reported the vuln they are required by law to report a "breach" to the authorities and if they do not do it willingly they might be forced to tell all their customers about the breach. There's really no good in telling your 70k followers that said site has vulns, at least not until they have fixed them. If moths have passed, the vulns are still not fixed and you have not heard back from them you could try contacting the authorities yourself. Self publishing your own "hacks" are not a good idea though, you should get a newspaper or other "researcher" to do it for you. You can brag about it later when the vulns have been fixed and you got permission. Only try to hack those who have asked for it, and make sure you join their bounty program for a reward.

Agreed. Especially considering how easy it would have been to contact them privately and directly.

A 2 second google search for kidspass uk shows a sitelink for their "Contact Us" page, listing both a phone number and email address: https://www.kidspass.co.uk/contact-us

So unless that page was added post-incident, then IMO both Alex and Troy did not do responsible disclosure.

The initial contact was reportedly via private DM.

Hopefylly they where give more then a few weeks time to fix it. But by reading the article it seems they where impatient and didn't even wait for the weekend to be over before publicly announcing that the site had a vuln. And he didn't give instructions on how to repeat the "bug" in the DM (Twitter Direct Message).

They didn't say what the vulnerability was, just that there was one.

Considering his follower base there might have been a number of people interested to know what it was, and capable of finding out by themselves. And from the article it seems the tweet did set off a "hacker feast" against the site.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact