[sheraz]

I use LinkedIn when I have to penetrate a bureaucracy such as this.

Nothing gets action faster when a VP or higher get a personal email / phone call regarding something like this.

Step 1: Troll linkedin to find these people in positions of real power.

Step 2: If they are easy to reach via email or on the platform, try that. Failing that, call their HQ and work the phones until you get to them.

Step 3: Win.

[Gustomaximus]

I did this recently when I noticed a way into a company customer database that had name/address/phone/purchases. Initially I contacted 3 different employees who I had emails addresses and nothing happened. Some months later when I saw nothing changed I contacted the CEO on Linkedin. Surprisingly he wrote to me saying thanks and this was really bad, rather than the expected no response or legal nothing to say response. He also said someone would be in contact to thank we and then some days later I got a call from the CIO who asked 'what do you think I should do to fix'... very strange call.

Most importantly I made sure on the email sent to the company clearly stated I had accidently found this error in their systems, only told them and worded it in a way that if by small chance they went legal on me I would post the correspondence on social media (they are several very large brands) and get the relevant attention that would likely make them back off.

I aslo found one that I feel is, while less relevant, a breach of data trust with Google but they believe this is a 'feature': I posted about this one here: https://news.ycombinator.com/item?id=10591980

Personally I find it strange Google would confirm an email address exists and share my first/last name with anyone.

[otterley]

I think you mean "trawl," not "troll." :-)

[sheraz]

...or do I ;-) ?

[alexleclair]

Actually a pretty good idea! Thanks!