Penetration Testing mailing list archives
How to deal with the company that doesn't react on providing them information about serious security vulnerability?
From: Michał Rybiński <fishmanos79 () gmail com>
Date: Wed, 23 Jul 2014 11:06:29 +0100
Hi all, I believe this is the best place to ask such question because I would imagine that most of people reading this list have something to do with discovering vulnerabilities and reporting them to parties responsible. On the beginning of the January I have discovered some security flaw which allows basically anyone to access all personal client's data (full name, full address, email address and a few more) of one of the most known Internet IT magazine. Although I have sent information about it to 3 different contact email addresses in the two months time span, the only thing I got in return was information that "We have received your email and have forwarded it to our main office to review and advise." received on 1st of April. Since then I haven't heard from them at all. The easiest action I can think of is to just make a full disclosure of the flaw and wait for the reaction but because this would allow almost anyone to access personal data of tenths if not hundreds thousands of subscribers (including me), I'd rather not do that... Could anyone of you propose what would be the best solution in this case or maybe generally this subject can be the start for the more general question - what should be done with the companies that doesn't react on such information sent? Many thanks MR ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How to deal with the company that doesn't react on providing them information about serious security vulnerability? Michał Rybiński (Jul 25)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Dolev Farhi (Jul 27)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Tim (Jul 30)
- RE: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mostyn, William Thomas (Tom) (Jul 30)
- Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability? Mike Peppard (Jul 31)