Skip to content

I reported a security vulnerability. Now what?

github logo ・1 min read  

I recently discovered a vulnerability for the first time. I found the product's security contact and sent some information. Ideally they will respond acknowledging the issue and provide a timeline for a patch.

What if that doesn't happen? How long is appropriate to wait before following up? When do you promise public disclosure? What if they disagree that it is a vulnerability?

Is there a guide for reporting vulnerabilities somewhere? I thought I'd be able to find one but I wasn't able to. A resource like that would be handy.

twitter logo DISCUSS (5)
markdown guide

Troy Hunt, a well known security expert, as several articles about responsible disclosure, just google with this term responsible disclosure and see the several articles he have about it.


I like Troy Hunt and read his site regularly. He's one reason I'm interested in infosec. However the articles on his site seem to be all about "how not to handle disclosure the completely horribly most very wrong way as a company", and not so much about the reporting side.


There’s a limit of responsible disclosure, I usually do 90 days after report. Make sure you do numerous follow ups if they fail to respond and inform them you’ll be disclosing in 90 days if they fail to provide a patch.

If they disagree it’s a vulnerability, then let the internet decide in your public disclosure.


Isn't that company on a Bug Bounty?
Is there a security part in its website to communicate with them using their PGP key?

If so, be careful about what you are doing. Some companies are prone to prosecute you based of this kind of behavior (and the Internet is not going to help on that).

Classic DEV Post from Nov 28 '19

New browser on the block!

Photo by Jacalyn Beales on Unsplash Well, it looks like the web browser ecosystem is getting another...

Ryan profile image

Sore eyes? now has dark mode.

Go to the "misc" section of your settings and select night theme ❤️