The deadline for fixing the vulnerability

I

Ivan Filatov2016-06-24 09:45:26

Payment systems

Ivan Filatov, 2016-06-24 09:45:26

The deadline for fixing the vulnerability - how long can I publish?

Given: a serious vulnerability in a popular company. Vulnerability, if desired, can harm financially (and very strongly) and reputationally (money of citizens, clients of this company).
The vulnerability was reported to this company, as expected, both by phone and by letter, they painted the whole scheme. Received a response - took note.
2 weeks have passed. We decided to ask - how are things, closed or not. They said that they would not report the result of closing or not closing. And also whether it exists at the moment - they also do not want to report.
Trying to reproduce it is, as it were, a criminal offense, but you don’t want to spend your money on checks.
Question: what are the terms in general according to our Criminal Code of the Russian Federation to publish it on an information resource in order to stimulate its elimination? How much time do you need to wait?
I don’t want to expose myself, if suddenly everyone runs to check it. It will be a hit! They are not interested in this either.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

�

Михаил Лялин, 2016-06-24
@mr_jok

чисто юридически = любая публикация вами будет оценена как подстрекательство вне зависимости от срока

S

sim3x, 2016-06-24
@sim3x

Забить
Не работать там, где живешь без прикрытия тов майора
Не работать если компания не имеет багбаунти

�

Владимир Дубровин, 2016-06-24
@z3apa3a

опубликуйте предварительную информацию без раскрытия деталей уязвимости - классификацию, потенциальные риски для клиентов, timeline взаимодействия.

�

Влад Животнев, 2016-06-24
@inkvizitor68sl

В УК РФ про это всё есть, наказание приличное, если они в суд пойдут.
Просто забейте и всё.