What do you guys do when a company makes it impossible to help them fix their vulnerability? – Digitalmunition




Home Forums What do you guys do when a company makes it impossible to help them fix their vulnerability?

This topic contains 1 reply, has 2 voices, and was last updated by  DrinkMoreCodeMore 1 month, 2 weeks ago.

  • Author
    Posts
  • #369478

    anonymous
    Participant

    So, one of the largest pharmaceutical wholesalers/distributors in the world ($150billion+ company) makes it impossible to reach out to a security department or at the very least, pass my message along to the right person.

    The vulnerability is so bad, you can log in as any customer in the world.

    I’ve reported it for the last year, literally called every other week a few months back, as well as emailed/posted on social media that there’s a vulnerability that will put all their customers at risk.

    What do you guys do next? My conscious is getting the best of me, I don’t want potentially 50 million people getting medical information leaked.

  • #369481

    PulseDialInternet

    If you mean you can login as a major Pharma customer of them like Roche, J&J, Pfizer, Merck, Bristol Myers, that you can login to the distributor as them then notify the Pharmas and it will get fixed right away.

  • #369482

    Quadling

    I would appreciate it if you contacted me. I can put you in touch with the people at most major pharmas, and can hopefully get you paid for the bug. Bug bounty programs start with finds just like this. 🙂 Let’s talk.

  • #369483

    serendrewpity

    You’re posting this to a hacker forum. I think you know what you could do. Create an ***innocuous*** pain point for them. One that is mitigated by the solution you’re proposing.

  • #369484

    xQx1

    Call or email whoever is the tech journo at the Guardian in your country.

    [https://www.theguardian.com/](https://www.theguardian.com/)

  • #369485

    frankthelocke

    [HackerOne](https://www.hackerone.com/for-hackers/start-hacking) specializes in this sort of Vulnerability Disclosure Program (VDP).

  • #369486

    errormsgs

    I think everyone here closed the loop for the most part. My only addition would be to also expand as broadly as possible consider all vectors of the vulnerability. Considering that it’s a login vulnerability there’s obviously a misconfiguration/default configuration/Etc, but can it be replicated elsewhere outside of pharma (if by chance it’s a widely used/disbursed service)?

  • #369487

    noptamoius

    Stick it on a public disclosure site like pastebin or Reddit.

  • #369488

    bmeister13

    Use social media, DM them

  • #369479

    DrinkMoreCodeMore

    If you tried responsible disclosure, give them 90 days and then just publish it online yourself or with a journalist/media company to write about it or try to contact them via a media outlet.

  • #369480

    TrueExcaliburGaming

    RELEASE IT TO THE PUBLIC

    that’ll get a fucking response

You must be logged in to reply to this topic.