An example of a vulnerability disclosure gone wrong…
I debated mentioning the company but will resist. While making a contribution through a well-known payment processing app, I discovered a vulnerability. It was an OWASP top-10 vulnerability and was discoverable while doing nothing more than using the app as a normal-ish user would. Okay, true, my wife probably would not have discovered it. But, that’s simply because she would not have known what she was looking for.
Read the email thread from the bottom up…
If an origination does not have a disclosure policy/program/process/contact/etc., do NOT attempt to disclose a discovered vulnerability. There’s nothing to gain, but everything to lose. It’s just not worth it. If the organization is too immature to have a disclosure policy or process, they are likely going to handle a disclosure immaturely as well.
All businesses need to make sure they have created and posted a responsible disclosure process, contact information, and/or listed their org with a bug bounty program. There are so many options and places to do this. Here are a few examples, all taken straight from https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet:
If you have any doubts on what to do, please reach out to me; I’ll be more than glad to offer assistance. Most of us disclosing vulnerabilities are not “bad” people wanting to cause you harm. We’re here to help make you more secure!
Original Source: https://twitter.com/redeemedHacker/status/1029950560517148672