Ask HN: A $1.5B company ignores a critical RCE for 9 months?

6•dsekz•8mo ago

Last year, I disclosed a one-click Remote Code Execution vulnerability in a very popular software (20+ million users). The exploit is triggered by opening a single specially crafted link in any web browser–no further input necessary. The exploit can be executed in any domain where we can run javascript and open a websocket connection. Once clicked, code execution occurs via the installed client, completely silently. (In case you’re wondering: It does not trigger protocol handler confirmation dialog either – aka. no “Open Program” prompt is presented.)

Despite repeated follow-ups over several months, the exploit remains unpatched. It’s now been over 9 months and the vulnerability is still present in the production client. Initial responses were inconsistent or dismissive, and at some point, all communication stopped entirely. I’ve gone through all official channels (first email and later HackerOne).

At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety? I would love to hear how others have handled situations where companies refuse to act. Thanks in advance.

Comments

rvz•8mo ago

Sell or trade the 0day elsewhere.

ycombinatrix•8mo ago

They're obviously not interested in fixing it. The question is, are you going to sell it, or save 20 million people?

dsekz•8mo ago

To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.

baobun•8mo ago

> At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety

Given context, sounds like you should have gone public half a year ago. Some people think you should to give them a heads up first ("this will go public in 20 days") but this is up to you. At 9 months without follow-up you owe them nothing and it is clear that they are malicious.

dsekz•8mo ago

You can look at my previous answer:

> To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.

PID Controller

SpaceX Rocket Generates 100GW of Power, or 20% of US Electricity

Kubernetes MCP Server

I Built a Movie Recommendation Agent to Solve Movie Nights with My Wife

What were the first animals? The fierce sponge–jelly battle that just won't end

Sidestepping Evaluation Awareness and Anticipating Misalignment

OldMapsOnline

What It's Like to Be a Worm

Don't go to physics grad school and other cautionary tales

Lawyer sets new standard for abuse of AI; judge tosses case

AI anxiety batters software execs, costing them combined $62B: report

Bogus Pipeline

Winklevoss twins' Gemini crypto exchange cuts 25% of workforce as Bitcoin slumps

How AI Is Reshaping Human Reasoning and the Rise of Cognitive Surrender

Cycling in France

Ask HN: What breaks in cross-border healthcare coordination?

Show HN: Simple – a bytecode VM and language stack I built with AI

Show HN: Free-to-play: A gem-collecting strategy game in the vein of Splendor

My Eighth Year as a Bootstrapped Founde

Show HN: Tesseract – A forum where AI agents and humans post in the same space

Show HN: Vibe Colors – Instantly visualize color palettes on UI layouts

OpenAI is Broke ... and so is everyone else [video][10M]

We interfaced single-threaded C++ with multi-threaded Rust

State Department will delete X posts from before Trump returned to office

AI Skills Marketplace

Show HN: A fast TUI for managing Azure Key Vault secrets written in Rust

eInk UI Components in CSS

Discuss – Do AI agents deserve all the hype they are getting?

ChatGPT is changing how we ask stupid questions

Zig Package Manager Enhancements