(alexschapiro.com)

561 points bearsyankees | 3 comments | 12 May 25 16:39 UTC | HN request time: 0.642s | source

Show context

edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]▶

>>43964937 (OP) #

> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #

hbn ◴[12 May 25 17:20 UTC] No.43965374[source]▶

>>43965336 #

That's more of a punishment to innocent users than the business

replies(3): >>43965381 #>>43965519 #>>43966199 #

1. kenjackson ◴[12 May 25 17:21 UTC] No.43965381[source]▶

>>43965374 #

True. Maybe let them know you will be directly contacting each user and letting them know that this service has exposed their personal information to hackers.

replies(1): >>43965582 #

2. nick238 ◴[12 May 25 17:40 UTC] No.43965582[source]▶

>>43965381 (TP) #

I'd definitely not do that. POCing a scraper to check is fine, but you shouldn't save any PII from that data. You're also saying you're the "hacker", as you don't know if it's actually been revealed to others without the forensics that (hopefully) only the business can do.

replies(1): >>43967496 #

3. kenjackson ◴[12 May 25 21:11 UTC] No.43967496[source]▶

>>43965582 #

Yeah. Not good practical advice on my part.

↑

I hacked a dating app (and how not to treat a security researcher)