Nexmo.com provides messaging and voice solutions, such as SMS gateway functionality, and has prominent customers like Airbnb. On May I found a serious security vulnerability on their website that enables anyone to reset the password of any account on Nexmo.com by knowing the accounts email address and thus to take over an account and see what SMS messages were sent by the account, happily use credits of the account, et cetera.
I tried to figure out how to contact them about the security vulnerability, they don't have a dedicated site about security nor how security researchers can contact them, like Github and many others have (https://help.github.com/articles/github-security/). Which make me think about how important security is to that company, but anyway.
So I ended up writing to their general-purpose support email address describing that I've found a highly severe security vulnerability related to password resets and would like to get in touch with someone from their IT security department or similar. And here's what they replied:
"Thanks for your email - this challenge has finished already, but we appreciate you contacting us."
Wait ... this "challenge" has finished already? What the serious f*?!
So I replied and explained to them that my inquiry isn't about a "challenge" but a serious security hole on their site.
Finally, it seemed that they understood what I wanted and they replied with the following:
"Thanks for letting us know about this, as a result of your email we are investigating it internally. If we need any further information from you we will let you know."
The reply seemed a bit weird to me. Why don't just get in touch with me so I can explain the vulnerability? I respected their answer.
As of today, the security vulnerability is still present. How can you as a company just simply not even care about security and customer information?
So HN, what should I do? Just forget about it?
Also, I would like to respond to the complaints that "we don't care about security". This is simply not true and we even use a bug bounty reward program. We do care and we accept reports through https://cobalt.io/ (ex CrowdCurity), so if you share with us your username/email on cobalt, we can add you to our program.
I totally agree we fucked up handling your report better back in may. I hope you are still willing to work with us!