I have followed the responsible disclosure model to make companies aware of security vulnerabilities in their software. Some of these includes being able to view private user information. As part of the process I request companies to alert their users that their data may have been breached. If companies do not follow this request, what should I do?
Do companies actually fix the bug/vuln you identify? If so, I’m amazed that they even do that, and I would accept that as a “good enough” win.
Regarding disclosure, although this sounds like a lame position, I would wait for the courts to decide. There are a lot of cases winding their way through the Circuit Courts in the US that will give us a framework for disclosing and when to do it regardless of The actions of any Federal agency.
If they don’t agree to fix the bug, by all means “name and shame”. Document all your interactions with them though.
Also if it’s medical data remember HIPAA has a breach notice that applies in all 50 states so there is that.
Also also, after the bug has been fixed there is nothing to stop you from writing a blog post and letting the “media” pick it up naturally as part of the news cycle.
NOTE: I have CISSP and CASP so I think that means something
Regarding disclosure, although this sounds like a lame position, I would wait for the courts to decide. There are a lot of cases winding their way through the Circuit Courts in the US that will give us a framework for disclosing and when to do it regardless of The actions of any Federal agency.
If they don’t agree to fix the bug, by all means “name and shame”. Document all your interactions with them though.
Also if it’s medical data remember HIPAA has a breach notice that applies in all 50 states so there is that.
Also also, after the bug has been fixed there is nothing to stop you from writing a blog post and letting the “media” pick it up naturally as part of the news cycle.
NOTE: I have CISSP and CASP so I think that means something