(alexschapiro.com)

570 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.207s | source

Show context

edm0nd ◴[12 May 25 17:16 UTC] No.43965336[source]▶

>>43964937 (OP) #

> I have been met with radio silence.

Thats when its time to inform them you are dumping the vuln to the public in 90 days due to their silence.

replies(3): >>43965359 #>>43965374 #>>43965518 #

hbn ◴[12 May 25 17:20 UTC] No.43965374[source]▶

>>43965336 #

That's more of a punishment to innocent users than the business

replies(3): >>43965381 #>>43965519 #>>43966199 #

nick238 ◴[12 May 25 17:35 UTC] No.43965519[source]▶

>>43965374 #

Disclosure is good for the 'innocent users' as they are made aware that their data may have been leaked (who knows if the company can do the sufficient auditing and forensics to detect total scraping), rather than just being oblivious because the company just didn't bother to tell them.

replies(2): >>43966025 #>>43966247 #

maxverse ◴[12 May 25 18:20 UTC] No.43966025[source]▶

>>43965519 #

Is there any reason to not just privately email the users? "Hey, I'm so and so, a security researcher. I was able to gather your data from <Company>, which has not responded to any inquiries from me. Please be aware that your data is mismanaged and vulnerable, and I encourage you to voice your concern directly to <Company>."

replies(2): >>43966882 #>>43967667 #

1. yard2010 ◴[12 May 25 21:33 UTC] No.43967667[source]▶

>>43966025 #

Make it better: find a lawyer that would sue, send them the details, you can find like 10 ppl out of 10k who would love to sue, you get your bounty from the lawyer.

↑

I hacked a dating app (and how not to treat a security researcher)