I found a really bad vulnerability in a dating app once, allowed anyone to see all other user’s exact locations…contacted the CEO to let him know to fix it. He acknowledged. Thought that was it.
A few months go by, I decide to check again. Still hasn’t been fixed, emailed again, acknowledged again. On and on and on. About a year went by for them to finally implement this fix which should take all of 10 minutes, I mean at the very least all you have to do is introduce some entropy into the gps coordinates of the user. Hopefully I am the only one that found it.
It’s pretty astonishing how much people just don’t care even the C suite.
Sounds familiar. In July 2022 I found a vulnerability in one of our systems (easy to exploit and basically allows anyone to authenticate as anyone, full access to LDAP accounts), I reported it and they made a fix which they supposedly deployed. The infosec department was notified everything was OK now. I decided to recheck it a few months later (I took it personally because someone could pose as me) and found out they somehow forgot to actually deploy it even though the original ticket was marked as fixed/closed. I notified the original team and they promised to deploy it "very soon" which didn't happen again. Basically every week I had to post "still not fixed" to their chat for a few months. Every time the project manager would promise it would be deployed soon but then would forget about it. Countless emails to the infosec department about the situation. It was finally deployed in January 2023, a fix which had been ready (coded and tested) for half a year by that time! Deploying it took literally 15 minutes. In fact, I could (and was ready to) deploy it myself because I have the required privileges but I was part of a different team by then and it felt wrong to mess with their release cycles on my own.
That's what responsible disclosure is for. Having a set deadline before an issue becomes public at least puts some pressure on the company to fix it. Not out of spite, or anything, but because it's the only way to protect the users, instead of just the owners.
IMO you should only give one chance for security vulnerabilities. If not fixed within your deadline or provided an explanation on why not, then it gets hacked. If you're into that sort of thing. Either that or blasting them on the social medias...
A few months go by, I decide to check again. Still hasn’t been fixed, emailed again, acknowledged again. On and on and on. About a year went by for them to finally implement this fix which should take all of 10 minutes, I mean at the very least all you have to do is introduce some entropy into the gps coordinates of the user. Hopefully I am the only one that found it.
It’s pretty astonishing how much people just don’t care even the C suite.