[jupenur]

Also a big issue here, as with many software vulnerabilities, is that the people the public disclosure would actually damage are the users, not the company making the vulnerable software. The bank would only start losing money if the users (personal customers, business customers using their APIs) would notice the hack and start demanding their money back.

[fulldecent]

It would be very nice if your security disclosure report included a section about how you have provide good faith upfront notice to the vendor and that based on research and belief it would be negligent for the company to not fix the issue by X date.

The wording you choose should be cognizant of your state's laws and the company's user agreement in such a way that the company is actually at risk if they ignore you.

When talking to people, "Reason is, and ought only to be the slave of the passions".

When talking to companies it is only necessary to discuss the impact on their profit.

[jupenur]

Just to be clear, I haven't really disclosed anything publicly, not regarding the e-payment API issue or any other issues for that matter. The SlideShare from my comment references the e-payment API vulnerability but doesn't disclose any technical details. It's not possible to reproduce the attack based on the slides alone.