Found a significant vulnerability on a large site. I would like to inform the site administration. But is it worth doing it or not? Maybe someone knows how to do it carefully ...
2 answers
- Search for a bounty program. Some companies pay money if they find a serious vulnerability. It's easy to search in Google and on https://hackerone.com/ - this is the largest bounty site.
- To report non-anonymously, I would strongly not recommend. Many companies, especially in Russia, instead of solving a problem, start throwing a presentation and threaten lawyers. This is especially true for "serious business" unrelated to IT. Therefore, any one-time accounts - the normal way.
- Do not try to break through technical support, it is practically useless. If you are dealing with a "serious business" like banks, then try to find security contacts, if there is anything serious, you will usually get stuck directly (and it is worth reminding them =)). It is usually easier to get people on the social networks directly working with the project, there is a chance to find someone who does not care. Corporations have one feature - they are generally much easier to pull out via email than through other means of communication.
- Are you being ignored? Three ways remain. Good: Write an article on Habré, after which the company will surely move; neutral: to score at all and evil: to merge the vulnerability into a darknet.
I also came up with the option of “merging to some external auditors who, using knowledge of vulnerability, will be able to sell themselves to the company”, but in practice I don’t know about the implementation of such a scheme.
- Company YUSA, a global brand. With IT connected with the production of iron ... Unsubscribed, do not answer the 2nd day. It is said that 24 hours. - wolter_white
In principle, it is correct to inform the administration, with the maximum amount of details on the vulnerability itself, preferably without its own data. Some have programs "find a bug, get a tank ($$$)", if this site has it, post there. If the site is really large (a million or more visitors), and there is no bug search program, it makes sense to post it on Habré, often after such a kick the site owners move much faster than even after a personal conversion.