The risks of disclosing web vulnerabilities
Posted May 14, 2006 19:48 UTC (Sun) by kasperd
In reply to: The risks of disclosing web vulnerabilities
Parent article: The risks of disclosing web vulnerabilities
I see this behaviour as a typical "we don't have any problems, but we'll sue you to pieces if we have" scare tactic. Utterly, utterly irresponsible. And pathetic, too.
I have experinced that as well with a Danish company. My experience with that particular company was a different reaction on each email I send to them.
- ignore it: I wrote an email to them, and it appeared to be ignored. I got no reply, and nothing was done about the problem.
- try to talk out of it: I got a thankful answer, in which they stated, that they would do something about the problem. But they didn't.
- deny it: After my third email they tried to deny the existence of the problem. To which I responded, that in that case it couldn't do any harm to publish my findings.
- threaten: Their next reaction was to threaten me with a lawsuit in case anybody found out about the problem.
At that point I decided the best I could do was to report it the company to authorities for keeping personal data without the amount of security required by the law. At least I felt that was the best I could do to my own position in case of a lawsuit.
The company was given a very long time to respond about the problem. And just before their time ran out, they removed that particular symptom. However there was no proof that the vulnurability was really solved. And in other places there were still symptoms showing vulnurabilities, and other problems showing they just don't know what the hell they are doing.
A couple years back I found an SQL injection vulnerability in a major Danish site, and I simply gave them a call. After some shuffling around with my phone call, I got to one of the developers. She was shocked -- but thankful, and they fixed it rapidly.
Nice to hear that there still are companies handling such approaches reasonably. Unfortunately they are rare. I have reached the point where I don't know if it is worth the effort to tell sites about their security problems.
I think the next time I come across a security vulnurability in a Danish site I'm just going to report it straight to the authorities and then just publish the fact that this company has been reported.
to post comments)