How to inform a huge company about a vulnerability?

3

3g0lex2017-10-15 18:51:11

Information Security

3g0lex, 2017-10-15 18:51:11

There is a vulnerability very similar to:
"Change api requests to amazon in such a way that goods are delivered for free. It is not even necessary to change requests to api, you can cheat with the GUI."
There is a proof of concept, the vulnerability is exploited for $7 for research purposes.
The company has a bug bounty program on hackerone.com, but I can't publish my report there, because I just registered and do not have sufficient rating to send my report to this company.
Communication with the support service via e-mail turned out to be an amazing surprise, because the bot communicates with me :)
I went to the St. Petersburg office of this company, did not tell the essence, said that you can just do it that way. Everyone laughed at how bearded I was. They promised to transfer the information to the Moscow office, but they were kind of out of business. Nobody writes, nobody calls.
I'm thinking how to proceed.
Just in a rage I will not post out of respect for the work of colleagues.
The best thing that comes to mind is to send an email to DHL, asking them to contact the company's head office in California. In theory, they should answer.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

3

3g0lex, 2017-10-19
@3g0lex

quora.com/How-can-I-disclose-huge-security...
Bill Woodcock, Executive Director at Packet Clearing House (1994-present)
Responsible disclosure dictates that you inform the company (in writing, cc'd to their general counsel and compliance manager, being very clear that you've presented all the information you possess, that you're not asking them to give you anything, that you did not come by the information illicitly, and that the communication is the last and only involvement you want to have in their problem) and simultaneously inform whatever CERT you're a constituent of. Make sure the company and the CERT are both aware that you've informed each other.
At that point, it's up to them to do the right thing, and the CERT to hold them to it and move along to public disclosure on a reasonable timeframe.
Yes, all CERTs talk to each other. If you're unclear on any of the above, you're welcome to contact me directly, and I can help you raise the ticket with your local CERT, since they'll be my colleagues.

V

Vladimir Dubrovin, 2017-10-16
@z3apa3a

Contact one of the social networks with the addition of the hashtag of the company and indicating your login on h1 with a request to temporarily reduce the signal level or invite you to the program so that you can take part in it.
If the company is from the Mail.Ru Group - write your login/coordinates to contact me, I will pass it on, or you can report it to https://hackerone.com/mailru with a description of the situation, there are no signal restrictions in this bug bounty program.

S

sim3x, 2017-10-15
@sim3x

Find a bunch of xsacks
- ask them to post a report on their behalf
Take life easier - you can’t fix all the bugs, but running around all the companies like that - there won’t be enough time

K

Konstantin Malyarov, 2017-10-15
@Konstantin18ko

Solving the problem:
1. We remove the server in a country where no one cares what you do on it and carry out an attack using it. This is a lesson for the company (they will lose 100,000 of their joint profits), but claims will begin against you.
2. We attack the vulnerability so that they do not feel it, but the first audit will reveal this. So to speak, get rewarded by exploiting a vulnerability.
3. Moscow office? You can also try.
4. If 3 p. does not work. Stuffing on Habré and other resources.