[freijus]

I discovered a web site with XSS vulnerability. I sent them an email a year ago about this security problem. Nothing has changed yet.

What should I do now?

Last time I pointed them out to some wikipedia articles relating to their vulnerabilities.

[objclxt]

It depends on a number of things. If you've documented your communications with them and have repeatedly tried to get in touch you may feel like disclosing publicly. A year is more than enough time to fix a XSS issue, and nobody would really judge you for going public with it.

However, this might depend on where you live. Some countries (like the UK, where I'm typing this from) make testing website for vulnerabilities illegal, no matter how serious the issue or good the intentions[1]. Very few people are actually caught by these laws, but there is always a risk that you piss off a litigious company, who then go after you.

[1]:http://jeremiahgrossman.blogspot.co.uk/2006/09/is-testing-fo...

[eli]

I encountered a problem with one of our vendor's login pages. I found that sending them a link that added a giant "YOU HAVE A PROBLEM HERE" graphic to the page and popped up an alert containing your password when you hit submit got the point across better than trying to explain it.

I probably wouldn't have done that if I didn't already have a relationship with the vendor, though. I don't want to be accused of extortion or cyberterrorism.

[laserDinosaur]

http://serverfault.com/questions/277843/security-flaw-report...

I would say the biggest concern is that you could become a target. Say that you, in good nature, inform them that you can buy items for free due to a injection attack. 4 days later someone else buys $10,000 worth of gear using the same exploit. They now only have one suspect: You.

[ZoFreX]

Write a blog post explaining exactly what is wrong and why it is a problem, then tweet it to them and post it to their Facebook wall. If they won't fix the security issues, then maybe you can save a fraction of their users by convincing them to go elsewhere. (And by making noise publicly they are probably more likely to actually do something about it)

[dhimes]

When you do this, at least at first, don't name the site. In your email to the site you can tell them the blog is about them.

If you do feel the need to spill who is at fault, you can do it in the comments or in a follow-up post at a later date.

[alttab]

Yeah its almost your civic duty to warn potential customers. But you have to be careful at the same time not to attract more attention to it than necessary.

[ZoFreX]

I'm not 100% on the rules of responsible disclosure, but isn't giving a company more than a year to fix an incredibly basic error more than enough time? The longer you wait the higher the chances a black hat will come along, why should their customers burn due to the company's apathy?

[alttab]

Agreed. At that point I'd post it on an anonymous blog through a proxy just to protect yourself in the case they want to be assholes.

[freijus]

Well, thank you all for your advices. It's been an interesting discussion.

As it is only a small shop, I think I will email them again, but this time with a link that point to a more verbose version of the vulnerability, as someone mention.