top | item 47099088

(no title)

You typically disclose the vulnerability for one of these reasons: you want money, you want fame, you want to make a better world. There are others such as blackmail but let's settle for the typical ones.

If you do it for money or fame, you step cautiously not to annoy the company. You ask, you beg, etc. Not something to be proud of but this is life.

If you do this to make the world a better place, you get annoying. You explain the risks, possibly how to fix it and then send a few reminders with the threat of making it public. Depending on where you are this may be a danger for you or not (though you would usually go anonymous in that case).

OP did the right thing. Without setting deadlines, a company will ignore it. Or not - but in that case they will not be offended by the deadline and would discuss with the reporter (by agreeing on mitigation if a complete fix cannot be done easily).

There used to be a time when companies cared because it was an uncommon event. Today you get 3 "We are so sorry" emails a week, so one more or one less make it less stressful to have public disclosures or data leaks. There is simply no accountability.

discuss

ddtaylor|9 days ago

Full disclosure is responsible disclosure.

Companies can't hide when there is a website or bot spewing out the information with their logo next to it.

Proxies are cheaper than lawyers.