They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.
Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the company has a bug bounty program then MAYBE disclose. You only stand to lose by trying to be a good samaritan otherwise.
One of their servlets had a query parameter like
/servlet/com.sun.projectname.SuperCrazyServlet?url=some_url_encoded_param
and I found out that it accepted file:// URLs.
They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.