RE: Question about exploit exposing SSN & user info
Hello,
I think you chose the right list for such a question.
I have had various experience working with different companies in
this field - I've led HACKPL Security Dep., and we receive plenty
of information about various security issues.
I think it is quite common that companies try to behave as if nothing
really happened, or as if the issue wasn't that important. From my
experience, huge a lot of companies fail to inform their clients of
problems when the issue is patched. If you want to make the information
public, make sure everything is _really_ patched, then ask the company
to inform their Clients (if they don't want to act so). If the company
says:
'Nothing baaad really happened. This and this could be done. Our clients
are safe thanks for Our Gosh-So-Perfect Security Program. Thank You
for sharing information with our Security Team.'
then, in my opinion, you are free to inform the public what really
happened as you intention was to bring true information to public in
order to make the community safer and _aware_ of the problem. (I would
first inform the company of my plans, and if they didn't change their
decision, I would reveal the information about the issue).The issue might
have affected many people, and people have full right to be aware of
eventual problems.
Finally, not only do many companies fail to react properly, but also fail
to act at all. I have experienced many situations when I informed of the
problems many times, and there was no response. Fortunately, the majority
of serious companies solves the problems and treats clients with enough
respect (to inform of the problem).
One more thing, if you feel like skating on thin ice, provide additional
information on my personal email: michal.bucko <at> eleytt <dot> com.
I think we could find a good solution for your problem. Before writing,
be sure to check on the legislation in your country (it would be nice
if you had any lawyer friend who could advise you)
Cheers!
mb