Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: How to deal with the company that doesn't react on providing them information about serious security vulnerability?
From: "Mostyn, William Thomas \(Tom\)" <tmostyn () viperlab net>
Date: Wed, 30 Jul 2014 17:18:06 +0000

You could try reporting it at this site:

http://www.ic3.gov/default.aspx

Tom
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tim
Sent: Wednesday, July 30, 2014 11:36 AM
To: Michał Rybiński
Cc: pen-test () securityfocus com
Subject: Re: How to deal with the company that doesn't react on providing them information about serious security 
vulnerability?

Have you tried contacting their public relations department?
Marketing department?  Try to get them on the phone.  Those kinds of folks have a big interest in protecting the brand 
of the company and they have the ear of executives.  Failing that, make the issue very public on social media (as 
already suggested), but perhaps don't release technical details right away.

Another avenue would be to contact government authorities who are in charge of enforcing privacy laws.  In the US, most 
states have a public disclosure law on the books which requires companies to notify their customer when their 
information is exposed.  Clearly information is being exposed as we speak.  Individual state Attorney Generals might be 
interested to know that.

tim


On Wed, Jul 23, 2014 at 11:06:29AM +0100, Michał Rybiński wrote:
Hi all,

I believe this is the best place to ask such question because I would 
imagine that most of people reading this list have something to do 
with discovering vulnerabilities and reporting them to parties 
responsible.

On the beginning of the January I have discovered some security flaw 
which allows basically anyone to access all personal client's data 
(full name, full address, email address and a few more) of one of the 
most known Internet IT magazine.
Although I have sent information about it to 3 different contact email 
addresses in the two months time span, the only thing I got in return 
was information that "We have received your email and have forwarded 
it to our main office to review and advise." received on 1st of April.
Since then I haven't heard from them at all.

The easiest action I can think of is to just make a full disclosure of 
the flaw and wait for the reaction but because this would allow almost 
anyone to access personal data of tenths if not hundreds thousands of 
subscribers (including me), I'd rather not do that...

Could anyone of you propose what would be the best solution in this 
case or maybe generally this subject can be the start for the more 
general question - what should be done with the companies that doesn't 
react on such information sent?

Many thanks
MR

----------------------------------------------------------------------
-- This list is sponsored by: Information Assurance Certification 
Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
----------------------------------------------------------------------
--


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault