Ask HN: Worth following up? Publicly facing root passwords on a Fortune 100

[JungleCats]

Hey there guys! Sorry if this isn't the normal style for posts, I haven't been on here long.

Essentially, I recently found a publicly facing document which detailed ALL of the root passwords for a Fortune 100 company. (Amongst other things, it was an open directory which also included all of the staff VPN passwords, and other sensitive information including SQL backups). I immediately reported this issue to them. I was told they would get back to me, and after reporting the issue I have sent multiple followup emails and have been selectively ignored. (I stumbled upon the root passwords completely by accident while looking around Google for information relating to an unrelated company). They have now removed the documents in question, (though they are still cached by Google). Should I let this go? I'm not sure whether it's worth pursuing. I don't want recognition, or hush money. I would have been content with a thank you, and I would have called it a day. Oh, and if it is relevant I sent my first email on January 23rd.

[eurodance]

Unless there is a bug bounty-type program in place, I wouldn't expect an email back. You're wasting your time. I've had the same results as you in the past. I don't even report them anymore.

[JungleCats]

Slightly off-topic, but check out this great email from PayPal today.

Hi JungleCats,

Thank you for your participation in the PayPal Bug Bounty program.

While we continue to review each vulnerability we receive on a case-by-case basis, we have determined that this bug is not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future.

Thank you, PayPal Security Team

yawn

[alexdevkar]

In this area, no good deed goes unpunished. It sounds silly, but you have to be careful.

[JungleCats]

Yeah, I absolutely see where you are coming from.

I considered just emailing the CEO and being all "Hey, thought you should be aware that I've sent multiple emails and just wanted to ensure you are informed"

[snowwrestler]

It's rude not to email you back, but then again they don't know who you are or for sure how you got that info--all they know is that you have their sensitive data. Some lawyer probably advised them to act on the info but not communicate with you.

You've done a Good Thing, but like many good things, it will most likely go unrewarded.

[JungleCats]

Yeah, I guess you are right. It's more that I expected a simple "Thanks" for ensuring that they didn't end up on the front of the New York times at some stage.

[logn]

Fortune 100 companies are definitely aware that anything in email is evidence. I doubt anyone wants to admit negligence or anything. And by offering you some big thanks they only validate that they were real passwords and not some junk data.

For an enormous corp to take down a file in a couple of weeks is thanks and recognition enough I think.

[dpweb]

You might have gotten some admin or mid-manager. Maybe they wanted to cut off communications (pretend it never happened) before their boss finds out about it. Seen guys do that before..

[pasbesoin]

I once reported password exposure via browser caching in the login form of one of those "too big to fail" banks. (I called it in.)

I never heard anything back, but a month or so later, it was fixed.

I'm glad it was some years ago. These days, I think I'd fear that their legal team would seek to have me criminally charged and/or bankrupted, regardless. (Don't look at the password caching; that's "hacking".)

I guess you did a good thing. In this day and age, though, I almost wish they were named, as such behavior represents an extreme form of negligence. (I am not advising you to reveal them, though. See, for example, my previous paragraph.)