top | item 47099561

(no title)

thiht | 8 days ago

Maybe the standard practice sucks. No matter how you turn it around, it does sound like blackmail. Just because you disclose a vulnerability to an org doesn’t mean you have any right or legitimacy to impose a deadline on them, you’re not their boss. This is some vigilante shit and it has not justification whatsoever. Report to the org, report to the authorities as needed and move on.

discuss

ThunderSizzle|8 days ago

Without a deadline of some form, when do you escalate to public knowledge so customers can know they might get defrauded in some capacity?

rdtsc|8 days ago

> Without a deadline of some form, when do you escalate to public knowledge so customers can know they might get defrauded in some capacity?

You set a deadline after an initial conversation and urging them to fix it, if they don’t respond. I think the idea would be to escalate slowly. Like the original poster said large tech companies like know how to do this and streamlined the process. But, to someone not familiar with the process it looks like threats and deadlines imposed by a random person.

I am not defending the company just presenting their possible point of view. It’s worth seeing things with their eyes so to speak to try to understand their motivations.

nebulous1|8 days ago

Blackmail to gain what? Speedy update to the site? The OP is going to disclose the vulnerability. The only matter up for debate is the timing.