Ask HN: How long to give a website to fix their security flaw?

3 pointslmai15y ago2 comments

How long should one give for a website to fix their security flow before warning their customers? Corollary: How should it be done since I can't reach out to their customers?<p>Background: The hack is simply changing the id variable in the url. It's a serious bug as you can view some of my photos from my various social networks. This could be detrimental to the VC backed company as they just did a Groupon-type deal (which is how I came to be a customer).

2 comments

2 comments · 1 top-level

maushu15y ago· 1 in thread

Send a high priority email to their customer support (or alike), wait 24 hours, if no response is received then tell the customers (blog post? forum thread? hnews/reddit?).

If response is received wait a week or so and, again, check for the existence of the exploit.

lmaiOP15y ago

Thanks. I was thinking giving them the weekend.

j / k navigate · click thread line to collapse