What will be the disclosure of the fact of vulnerability on the state resource?

M

mitaichik2021-06-10 18:00:25

Law in IT

mitaichik, 2021-06-10 18:00:25

Good afternoon.

I accidentally found a vulnerability on a large state resource, through which you can steal personal data (name, passport number, etc.) about their users (half of Russia)

I wrote to support, they said thank you, they will transfer it to the responsible department.
It's been a week and nothing has been fixed. He said that if they do not fix it, I will write to the media - silence.

Are there risks if I disclose the fact that they have a vulnerability without describing it?
On the one hand, there is an understanding that no one will move without attracting attention, and at this time, personal data (including mine) can be leaked.

On the other hand, it's disgusting.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey Gornostaev, 2021-06-10
@mitaichik

There are dozens of articles on Habré, and hundreds on the Internet on the topic "I discovered a vulnerability and a criminal case was opened against me."

E

Evgeny Golubev, 2021-06-14
@bestowhope

Well, for starters, you need to think in order to openly shoot yourself like this, even with good intentions.
For the future: If you are such a good Samaritan, speak without burning yourself and watch the reaction. In your case, there is no reaction, which means that it is your business to do dirty things with it or not.
This is the first.
And the second. What for to you to broadcast about the fact of existence of vulnerability? Screaming walk around? - So it will serve you well.
"The quieter you go, the further you'll get"