(alexschapiro.com)

561 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.208s | source

Show context

edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]▶

>>43964937 (OP) #

> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #

hbn ◴[12 May 25 17:20 UTC] No.43965374[source]▶

>>43965336 #

That's more of a punishment to innocent users than the business

replies(3): >>43965381 #>>43965519 #>>43966199 #

nick238 ◴[12 May 25 17:35 UTC] No.43965519[source]▶

>>43965374 #

Disclosure is good for the 'innocent users' as they are made aware that their data may have been leaked (who knows if the company can do the sufficient auditing and forensics to detect total scraping), rather than just being oblivious because the company just didn't bother to tell them.

replies(2): >>43966025 #>>43966247 #

maxverse ◴[12 May 25 18:20 UTC] No.43966025[source]▶

>>43965519 #

Is there any reason to not just privately email the users? "Hey, I'm so and so, a security researcher. I was able to gather your data from <Company>, which has not responded to any inquiries from me. Please be aware that your data is mismanaged and vulnerable, and I encourage you to voice your concern directly to <Company>."

replies(2): >>43966882 #>>43967667 #

1. Ajedi32 ◴[12 May 25 19:56 UTC] No.43966882[source]▶

>>43966025 #

Seems like a reasonable idea, though depending on how many users are affected that may effectively amount to going public. Also only works if the vulnerability gives you access to all customer emails, and you're willing to exploit it to get that info (which might not be a good idea legally speaking).

↑

I hacked a dating app (and how not to treat a security researcher)