Last year, I disclosed a one-click Remote Code Execution vulnerability in a very popular software (20+ million users). The exploit is triggered by opening a single specially crafted link in any web browser–no further input necessary. The exploit can be executed in any domain where we can run javascript and open a websocket connection. Once clicked, code execution occurs via the installed client, completely silently. (In case you’re wondering: It does not trigger protocol handler confirmation dialog either – aka. no “Open Program” prompt is presented.)

Despite repeated follow-ups over several months, the exploit remains unpatched. It’s now been over 9 months and the vulnerability is still present in the production client. Initial responses were inconsistent or dismissive, and at some point, all communication stopped entirely. I’ve gone through all official channels (first email and later HackerOne).

At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety? I would love to hear how others have handled situations where companies refuse to act. Thanks in advance.