Love to find a minor security vulnerability first thing in the morning while checking my emails in bed.

Reported to the third party before breakfast because well-known VC-backed ecommerce startups can't do security apparently and that stresses me out.

Update: Spent 5 more mins and found 2 more serious vulnerabilities.

Hope they respond well to security reports, otherwise I will have to cancel my subscriptions.

Writing these vulnerability reports only makes me think how callous a company could be to put its users at risk, especially domestic violence and stalker victims who require extreme privacy.

A full account takeover with no user (or company!) knowledge, which also allows access to current+prior addresses and phones is downright scary if I needed to keep those detailed secure.

Pro-tip: Always have a security contact who can review high/critical-vulnerability reports within a reasonable timeframe. Been nearly 48 business hours, 96 total hours, since initial attempt to report without a proper response.

*Goes to /info.php on a whim really hoping that won't work*

Moments ago, exclusive footage from my desk:

InfoSec Twitter: Is 48 business hours + weekend more than enough time to have a security report escalated and reviewed by a security contact?

Critical security vulnerability in a US-based website with 1 million+ accounts, 30-130k paying. No phone number. Multiple emails sent.

Full 5 days after initial report, no appropriate response or escalation.

Patiently waiting since I have no other options.

Also realized they have EU customers, so they likely violated EU data breach reporting laws (72 hrs). Not sure if that applies to vulns allowing breach.

I have attempted to contact the company directly for 6 days, and their external public relations team for 2 days, and no one has responded.

I'm finding it harder to trust their initial reply: "We take our customer's security very seriously and will investigate this thoroughly."

Starting to think every time they insist my emails have been forwarded to their engineering team, they are really forwarding my emails to their legal team or the spam folder.

(Drama intensifies)

I've had to contact the last group of people I would prefer to contact in this situation: one of the company's VC investors (an org).

Luckily they are more responsive and reached out to the company, so hopefully the reporting process gets moving soon.

Finally broke radio silence: Investor reached out to CEO, and I received a reply from their engineering team.

But still no progress.

Email said they will "fix the problem right away", which is not possible since I have not sent details. I was requesting a security contact.

High/critical-severity vulnerability details sent. 7 days later, finally.

Now to write up and submit the other... *counts* 8-12 (!!!) other vulnerabilities I've found on their website over the past few days, some also high-severity.

Great progress!

They reported their highest-severity issue was resolved, in a matter of hours. (I haven't fully verified yet.)

They now have the other vulnerability reports (7 so far, 9 total) so hopefully they can fix the more severe ones just as quickly.

Once I got in touch with the security contact, they were incredibly responsive, acted quickly, and were welcoming to a stranger who gave them a lot of urgent work.

That is how it should be handled from the very beginning.

Shouldn't take escalation to their CEO via an investor.

Final report submitted. 9 total vulnerabilities, many of them high or critical severity.

Now to wait for all of those to be fixed, and then move on to request disclosure to users, etc.

Enjoy your safer weekend, [Redacted Company] customers!

Hope I can disclose company name, more behind-the-scenes of the stressful reporting process, and details about vulnerabilities in a few days/weeks.

Thanks for the interest, everyone!

Until then, @troyhunt's Data Breach Disclosure 101 is a great read: troyhunt.com/data-breach-di…