What do you guys do when a company makes it impossible to help them fix their vulnerability? – Digitalmunition

Home Forums What do you guys do when a company makes it impossible to help them fix their vulnerability?

This topic contains 1 reply, has 2 voices, and was last updated by  DrinkMoreCodeMore 1 month, 2 weeks ago.

  • Author
  • #369478


    So, one of the largest pharmaceutical wholesalers/distributors in the world ($150billion+ company) makes it impossible to reach out to a security department or at the very least, pass my message along to the right person.

    The vulnerability is so bad, you can log in as any customer in the world.

    I’ve reported it for the last year, literally called every other week a few months back, as well as emailed/posted on social media that there’s a vulnerability that will put all their customers at risk.

    What do you guys do next? My conscious is getting the best of me, I don’t want potentially 50 million people getting medical information leaked.

  • #369481


    If you mean you can login as a major Pharma customer of them like Roche, J&J, Pfizer, Merck, Bristol Myers, that you can login to the distributor as them then notify the Pharmas and it will get fixed right away.

  • #369482


    I would appreciate it if you contacted me. I can put you in touch with the people at most major pharmas, and can hopefully get you paid for the bug. Bug bounty programs start with finds just like this. 🙂 Let’s talk.

  • #369483


    You’re posting this to a hacker forum. I think you know what you could do. Create an ***innocuous*** pain point for them. One that is mitigated by the solution you’re proposing.

  • #369484


    Call or email whoever is the tech journo at the Guardian in your country.


  • #369485


    [HackerOne](https://www.hackerone.com/for-hackers/start-hacking) specializes in this sort of Vulnerability Disclosure Program (VDP).

  • #369486


    I think everyone here closed the loop for the most part. My only addition would be to also expand as broadly as possible consider all vectors of the vulnerability. Considering that it’s a login vulnerability there’s obviously a misconfiguration/default configuration/Etc, but can it be replicated elsewhere outside of pharma (if by chance it’s a widely used/disbursed service)?

  • #369487


    Stick it on a public disclosure site like pastebin or Reddit.

  • #369488


    Use social media, DM them

  • #369479


    If you tried responsible disclosure, give them 90 days and then just publish it online yourself or with a journalist/media company to write about it or try to contact them via a media outlet.

  • #369480



    that’ll get a fucking response

You must be logged in to reply to this topic.