Answer the question
In order to leave comments, you need to log in
Should I report a found vulnerability?
Hello, sorting through the dorks, I found an ftp server of one network of regional online stores. On the server, in turn, I found a file - in the best traditions (password.txt) with passwords from the mail of this company in different regions. Since passwords are the same everywhere, they are suitable for the admin panel, and there is also a database ... Also, a whole bunch of contracts, reports, information about money accounts, details, contact information, internal documentation. What should I do now with this, after reading stories about criminal cases and even persecution of the special services, it somehow becomes uncomfortable. As I understand it, the company does not have a clear technical specialist or at least some kind of support, and my message about the vulnerability can be regarded as an attack or even worse.
Answer the question
In order to leave comments, you need to log in
Heh) Well, let's start with the fact that "to be afraid of wolves ...".
If they want, they will find it without even sending them a report from your side.
If all this was done (as I suppose - did you still try the password from the admin panel?), really, and at least elementary channel encryption of the connection (depending on how else they interacted except ftp), but better in the complex - ala vpn / vps / vds .
I hardly think they will dig for a bug report ...
Use tickets on the site / sites (it is better to discard e-mail immediately), other contact details with the authorities: icq / IM / skype / phone number (free sms from the operator's website).
And of course, if they smell like web dev, then you can look for the Bug Tracking System, even if it is only for team developers. So to say pleasantly surprise them)
And just let them know and don’t be paranoid, such habits are appreciated and thanked from abroad not only in words.
In the Russian Federation, the maximum is - in a word, and it’s still good if it’s kind)) But no one will abuse your IP. At least serious companies..
Yes, and the issue has already been discussed from the "back side"
Comments
Maybe I was just lucky, but my attempts to report any vulnerability have NEVER been regarded as a hack. They leave without an elementary "thank you" and fix the vulnerability often, thank you even more often (I always hint at a reward), but they never tried to threaten.
Just in case, you can report the vulnerability anonymously.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question