It's so great that they allowed him to publish a technical blog post. I once discovered a big vulnerability in a listed consumer tech company -- exposing users' private messages and also allowing to impersonate any user. The company didn't allow me to write a public blogpost.
Product-focused Software Engineer with 4+ years of experience delivering production-scale systems across early stage startups and global tech companies. Proven record in 0→1 development, scalable infrastructure, and ML-powered product features – driven by speed, clarity, and focus on end-user impact.
thanks for the reply - really appreciate it. I get the sense of what you are indicating and it makes sense as well. Also I am not security researcher, but a software engineer who tinker around with other apps
The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.
I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.
I’m leaning toward a public write-up after giving them fair notice.
One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.
Thanks for the thoughtful reply — really appreciate it.
I actually stumbled upon the vulnerability without any prior request. They don’t have an active bug bounty program, and the Head of IT Security I’m in touch with mentioned they don’t have dedicated funds for security researchers — which is hard to believe for a company with a £200M+ market cap.
I’ll definitely dig a bit deeper into the legal side.
Based on all the suggestions here, I’m leaning toward quoting them a fair amount considering the impact. If they don’t agree, I’ll likely reject the NDA and do a public write-up after a reasonable disclosure window.
One thing I forgot to mention earlier as of today — the vulnerability is fixed (I reported it around 3 weeks ago), not sure if that changes anything leverage wise.