It's so great that they allowed him to publish a technical blog post. I once discovered a big vulnerability in a listed consumer tech company -- exposing users' private messages and also allowing to impersonate any user. The company didn't allow me to write a public blogpost.
Up until Van Buren v. United States in 2020, ToS violations were sometimes prosecuted as unauthorized access under the CFAA. I suspect there are other jurisdictions that still do the equivalent to that.
Presumably they'll threaten to sue you and/or file a criminal complaint, which can be pretty hard to deal with depending on the jurisdiction. At that point you'll probably start asking yourself if it's worth publishing a blog post for some internet points.
Product-focused Software Engineer with 4+ years of experience delivering production-scale systems across early stage startups and global tech companies. Proven record in 0→1 development, scalable infrastructure, and ML-powered product features – driven by speed, clarity, and focus on end-user impact.
thanks for the reply - really appreciate it. I get the sense of what you are indicating and it makes sense as well. Also I am not security researcher, but a software engineer who tinker around with other apps
The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.
I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.
I’m leaning toward a public write-up after giving them fair notice.
One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.
Thanks for the thoughtful reply — really appreciate it.
I actually stumbled upon the vulnerability without any prior request. They don’t have an active bug bounty program, and the Head of IT Security I’m in touch with mentioned they don’t have dedicated funds for security researchers — which is hard to believe for a company with a £200M+ market cap.
I’ll definitely dig a bit deeper into the legal side.
Based on all the suggestions here, I’m leaning toward quoting them a fair amount considering the impact. If they don’t agree, I’ll likely reject the NDA and do a public write-up after a reasonable disclosure window.
One thing I forgot to mention earlier as of today — the vulnerability is fixed (I reported it around 3 weeks ago), not sure if that changes anything leverage wise.
Indeed | Software Developers - all level | USA, India, Japan, Singapore | Full Time | Remote, Onsite, Flex
At Indeed (We help people get jobs) https://www.indeed.jobs/ there are multiple open roles. I can refer for any technical roles that you are interested in. Please fill out this google form for the same -- https://forms.gle/xnVtBQoCNCPNKokEA
With other employees of the same company. For example when we were working from office before COVID we can have coffee break or can play games like Pool, Poker etc.. but in remote work there is no fun activity.
gotcha, there was a social app posted here a few months ago (maybe 4-6 months ago) that aggregated a bunch of online games and added chat. I can't remember the name but I think it was something like koshi.
I've seen people doing "fun time" over zoom and doing things like playing games, watching a movie together, etc
