Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: How to deal with the company that doesn't react on providing them information about serious security vulnerability?
From: "Dolev Farhi" <dolevf () yahoo com>
Date: Sat, 26 Jul 2014 09:08:26 +0000

Hi,
If I were you, I wouldn't post this in fulldisclosure, at all. This is due to the harm it may cause the involved and uninformed innocent people, as you described. If the company doesn't respond to emails try to look for official channels: Facebook, Twitter, Linkedin? and send an informing message via those channels.
There is always some kind of way.
If there is absolutely no way of contacting them, try contacting the host provider or something. I definitely think exposing this while in a vulnerable state is irresponsible.






------ Original Message ------
From: "Michał Rybiński" <fishmanos79 () gmail com>
To: pen-test () securityfocus com
Sent: 7/23/2014 1:06:29 PM
Subject: How to deal with the company that doesn't react on providing them information about serious security vulnerability?

Hi all,

I believe this is the best place to ask such question because I would
imagine that most of people reading this list have something to do
with discovering vulnerabilities and reporting them to parties
responsible.

On the beginning of the January I have discovered some security flaw
which allows basically anyone to access all personal client's data
(full name, full address, email address and a few more) of one of the
most known Internet IT magazine.
Although I have sent information about it to 3 different contact email
addresses in the two months time span, the only thing I got in return
was information that "We have received your email and have forwarded
it to our main office to review and advise." received on 1st of April.
Since then I haven't heard from them at all.

The easiest action I can think of is to just make a full disclosure of
the flaw and wait for the reaction but because this would allow almost
anyone to access personal data of tenths if not hundreds thousands of
subscribers (including me), I'd rather not do that...

Could anyone of you propose what would be the best solution in this
case or maybe generally this subject can be the start for the more
general question - what should be done with the companies that doesn't
react on such information sent?

Many thanks
MR

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault