This topic contains 1 reply, has 2 voices, and was last updated by DrinkMoreCodeMore 1 month, 2 weeks ago.
- March 5, 2021 at 6:29 am #369478
So, one of the largest pharmaceutical wholesalers/distributors in the world ($150billion+ company) makes it impossible to reach out to a security department or at the very least, pass my message along to the right person.
The vulnerability is so bad, you can log in as any customer in the world.
I’ve reported it for the last year, literally called every other week a few months back, as well as emailed/posted on social media that there’s a vulnerability that will put all their customers at risk.
What do you guys do next? My conscious is getting the best of me, I don’t want potentially 50 million people getting medical information leaked.
- March 5, 2021 at 6:29 am #369481
If you mean you can login as a major Pharma customer of them like Roche, J&J, Pfizer, Merck, Bristol Myers, that you can login to the distributor as them then notify the Pharmas and it will get fixed right away.
- March 5, 2021 at 6:29 am #369482
I would appreciate it if you contacted me. I can put you in touch with the people at most major pharmas, and can hopefully get you paid for the bug. Bug bounty programs start with finds just like this. 🙂 Let’s talk.
- March 5, 2021 at 6:29 am #369483
You’re posting this to a hacker forum. I think you know what you could do. Create an ***innocuous*** pain point for them. One that is mitigated by the solution you’re proposing.
- March 5, 2021 at 6:29 am #369484
Call or email whoever is the tech journo at the Guardian in your country.
- March 5, 2021 at 6:29 am #369485
[HackerOne](https://www.hackerone.com/for-hackers/start-hacking) specializes in this sort of Vulnerability Disclosure Program (VDP).
- March 5, 2021 at 6:29 am #369486
I think everyone here closed the loop for the most part. My only addition would be to also expand as broadly as possible consider all vectors of the vulnerability. Considering that it’s a login vulnerability there’s obviously a misconfiguration/default configuration/Etc, but can it be replicated elsewhere outside of pharma (if by chance it’s a widely used/disbursed service)?
- March 5, 2021 at 6:29 am #369487
Stick it on a public disclosure site like pastebin or Reddit.
- March 5, 2021 at 6:29 am #369488
Use social media, DM them
- March 5, 2021 at 6:29 am #369479
If you tried responsible disclosure, give them 90 days and then just publish it online yourself or with a journalist/media company to write about it or try to contact them via a media outlet.
- March 5, 2021 at 6:29 am #369480
RELEASE IT TO THE PUBLIC
that’ll get a fucking response
You must be logged in to reply to this topic.