I truly don’t understand why you decided to take the stance of setting them deadlines and disclosing the vulnerability if they miss them. I understand you had good intentions, but I also can see how this can look like unnecessary escalation and even like blackmail to someone outside the industry, like an insurance manager or a lawyer.
I agree that disclosing a vulnerability in a major web browser or in a protocol makes sense because it’s in the interests of the humanity to fix it asap. But a random insurance firm? Dude, you’re talking to them as if they were Google.
If you really care about them and wish them good (which I believe you do!) you should’ve just left out the deadlines and disclosure part and I don’t think cc’ing the national agency was that necessary given the scale of the problem. Maybe should’ve just given them a call and have had a friendly chat over the phone. You would’ve helped them and stayed friends.
Adding a deadline to a disclosure of a vulnerability of this nature is standard practice. Every day it's not patched is a day data could be compromised. Any halfway competent lawyer should be fully aware of this.
Disclosure without a deadline WILL be ignored.
It does not matter if it's Google or your local boyscouts club, any organization requiring users to provide information that can be abused in the wrong hands takes on a responsibility to handle such data responsibly.
NIS 2 article 12 specifically says the CSIRT must help reporter and provider negotiate a disclosure timeline. He set a timeline because there's supposed to be a timeline.
This is what the blog writer wrote in email informing about the vulnerability:
> I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure.
> Please note that I am fully available to assist your IT team with technical details, verification steps and recommendations from a security perspective.
He is offering a window of 30 days and that he will consider public disclosure only after that window. He didn't say that this was the full and final window. He didn't say that he will absolutely and definitely disclose. He is being more than co-operative by willing to offer his time and knowledge in this matter, even if he doesn't need to.
If they are not Google, then instead of push-and-shove legal threats, they could have been forthcoming and said something like, "We are not an IT company with expertise in this matter. We will definitely need more than 30 days to resolve this matter. Please let us know if you are agreeable to a longer time Window of <n days> before you consider disclosure."
To top it all, they ask to keep this matter away from the authorities despite:
> The Maltese National Coordinated Vulnerability Disclosure Policy (NCVDP) explicitly requires that confirmed vulnerabilities be reported to both the responsible organization and CSIRTMalta.
So he followed the law and that is bad, how?
> I don’t think cc’ing the national agency was that necessary given the scale of the problem that necessary given the scale of the problem.
Children's addresses were publicly accessible via the vulnerability - does the urgency solely require the matter to be large scale to be taken seriously?
> Maybe should’ve just given them a call and have had a friendly chat over the phone. You would’ve helped them and stayed friends.
The same could be said about the company. Why are only people expected to be nice and friendly while it is fine for companies to issue legal threats?
It's not only about pressure, but also telling all the people whose data can be read AKA the public.
And still it's also about the pressure. I was found a pretty bad injections/XSS in an online banking website. Told them, got no response. After waiting blogged about it (without specifying what he actual issue is). Then someone contacted me and said I need to take down the wrong information. Send back a PoC and only then they started fixing it. In the meanwhile every customer could have gotten emails stealing their login data.
I think it is obvious that the author just wants to come out as the great hero bounty hunter he is and in fact did reach the HN front page, so good for them.
If he wanted to solve it he would automatically sue them back for breaching his and his clients' personal data and not make any publicity blog post.
That's an assumption - maybe backed by experience, but still.
The professional way would be to slowly escalate. Tell them nice and friendly. Wait a bit. Increase pressure bit by bit.
You also don't directly shout at anyone making a mistake - at least not the first time.
This is standard practice. Typical HN behaviour to drive by with quite evidently zero relevant background and self-righteously preach for three paragraphs about something that you don’t understand. This industry sucks.
It's standard practice and it freaks managers the fuck out, esp if they're not familiar with hacker culture. Maybe the standard practice needs some work? I'm not sure, I understand the perspective of security researchers who want to force action on a fix. But I also completely understand how a deadline is perceived as a threat.
Don't forget that there's lots of gray hat / black hat hackers out there as well, who will begin with an email similar to this, add a bitcoin address for the "bug bounty" in the next, and will end with escalating the price of the "bounty" for the "service" of deleting the data they harvested. It's hard even for tech-savvy managers to figure out which of these you're dealing with. Now put yourself into the shoes of the average insurance company middle manager.
For completeness, I don't think this company's behavior is excusable. I'm just saying that maybe also the security community should iterate a bit more on the nuances of the "standard practice" vulnerability reporting process, with the explicit goal of not freaking people out so bad.
They almost certainly did not. They likely just hired a cheap contractor to get their service up, and went with it when "it worked".
The contractor (who was certainly incompetent) probably looked at a bunch of nightmarishly complex identity API's and said "F** it!", combine that with being grossly underpaid and you get stuff like this.
It's a bad situation, of course, and involving threatening lawyers makes it even more ugly. But I can understand how a very small business (knowing nothing about IT other that what their incompetent contractor told them) might get really offended and scared shitless by some rando giving them a 30-day deadline, reporting them to authorities, and demanding that they contact all affected customers.
Most likely, the insurance company handles the actually insurance policies, claims, payouts, etc themselves, but uses a contractor to build their website, user portals, etc.
Maybe the standard practice sucks. No matter how you turn it around, it does sound like blackmail. Just because you disclose a vulnerability to an org doesn’t mean you have any right or legitimacy to impose a deadline on them, you’re not their boss. This is some vigilante shit and it has not justification whatsoever. Report to the org, report to the authorities as needed and move on.
> Without a deadline of some form, when do you escalate to public knowledge so customers can know they might get defrauded in some capacity?
You set a deadline after an initial conversation and urging them to fix it, if they don’t respond. I think the idea would be to escalate slowly. Like the original poster said large tech companies like know how to do this and streamlined the process. But, to someone not familiar with the process it looks like threats and deadlines imposed by a random person.
I am not defending the company just presenting their possible point of view. It’s worth seeing things with their eyes so to speak to try to understand their motivations.
But that is the intention, isn't it?
The company showed neglect. The researcher has a moral right ( and I would say duty) to make that public.
It's nice of them to give the company some time to get their shit together. After the vulnerability has been fixed there is no issue for customers in publishing about the neglect. The bad press for the company is deserved.
The idea was change the initial approach and not mention deadlines and just see if they’ll fix it. Point to the law indicating they should notify the authorities. Then if they don’t respond, give them a timeline tell them you’re notifying them. Like the original post said this is not Google, not a tech company, this looks like extortion of some sort to them. So it’s not that surprising what their response was.
It all depends on the goal. Is the goal for them to fix it most of all? To get them embarrassed? To make a blogpost and get internet points?
I agree that disclosing a vulnerability in a major web browser or in a protocol makes sense because it’s in the interests of the humanity to fix it asap. But a random insurance firm? Dude, you’re talking to them as if they were Google.
If you really care about them and wish them good (which I believe you do!) you should’ve just left out the deadlines and disclosure part and I don’t think cc’ing the national agency was that necessary given the scale of the problem. Maybe should’ve just given them a call and have had a friendly chat over the phone. You would’ve helped them and stayed friends.