jnimmo:

turtleattacks:

 

jnimmo: In future if you’re having trouble getting traction with the company, CERT NZ provide a vulnerability disclosure program where they can help communicate it to the organisation.

 

 

 

Just picking this up again - what's a reasonable time to expect a reply in a timely matter? 

 

 

 

Would 24 hours after initial email be enough until a contact is made with CERN's program?

 

 

 

Edit: Not the same company. 

 

Sounds reasonable, it can be helpful having the notification coming from a trusted third party like CERT to get the message through!

Thanks team, the merchant has now patched the API. It was leaking some pretty sensitive PII info. 

No response from them though after disclosing it to them in a very polite email. 

This type of disclosures always baffles me. It's rare to get responses from the companies, not an acknowledgement, not a thank you email. 

Feels like the tactic of "Do not negotiate with the kidnapper/ransom" is in playbook apart from the fact I wasn't asking for anything! 

I'll probably email CERT tomorrow.

Edit: This probably isn't a nuclear issue concerning CERN. :)