I was looking for some help on an issue I was facing and I accidentally stumbled upon a service from another company which was exposed to the public internet.
This service allowed exporting the raw configuration, API keys, usernames, passwords, urls, etc. D:
I tried to find a contact to reach out to, but I wasn't able to find anything on their site. The contact on their site is only for sales and press, of which I want neither.
How would you handle this situation?
Top comments (1)
First, check if they have a
.well-known/security.txtfile on their server. If this file exists, it should contain information (in a reasonably human readable but still machine-parseable) format explaining their security reporting policy. More details on this can be found at tools.ietf.org/html/draft-foudil-s....Failing that, try and find out if they are a subsidiary of some other company. If so, you may be able to find a security contact for that company to report things to.
If that doesn't turn anything up, try a WHOIS lookup on their domain. Assuming they haven't hidden the information, you should be able to get a point of contact through that who should, in theory, be able to get you in touch with the person you need to notify about the bug. Try the administrative contact first, then technical, then finally the registrant, as that's usually the order of responsibility for such things.
Assuming none of those pan out, send an email to all of the following well-known user names under their domain explaining that you have found a severe security issue (this one is about as severe as it can get) that you wanted to notify them about, but could not find any information about how to securely disclose the details to them:
webmastersupporthelpadminhostmastercontactinforootwwwipadmindnsadminssladminwebmastershould resolve to a real person, but if it doesn't, most domains that accept email have some subset of the others as valid addresses that go to real people, so you should have a decent chance of getting a real person with this approach.Also, and this is really important, do not send specifics about the bug until you have established contact. They may have some specific policy for handling this securely, always ask about that first if you can not find information about such a policy anywhere.