Jump to content

How do I report a security issue without getting sued?


Recommended Posts

Posted

Hi all,

I've found a quite bad security leak exposing a bunch of customer data in an app created by a small startup.

Its a really obvious hole. I simply made 2 accounts, and logged in with one, went to the edit page of my account containing my info (email etc.), then changed the ID in the get request to the other account's ID.

Its scary how easy this was.

I never looked at other customers data. The get url's just seemed so insecure that I had to try if this would work.

Anyway, I really want to make the issue clear to the company so they can fix it.

However, I'm worried they might nog take this so well.

I'm affraid they will take more notice to the, 'I can view all your customers data' part of my story than the 'and I'm here to help' part.

Of course I could leave a nice note in their contanct form without an email address and hope they don't keep any access logs (wouldn't be supprising at this point).

But that just doesn't seem right.

Does anyone have any advice on how to go about this? Any experiences in this area maybe?

Should I be worried at all about legal troubles?

Thanks!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...