frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Ask HN: A $1.5B company ignores a critical RCE for 9 months?

6•dsekz•1d ago
Last year, I disclosed a one-click Remote Code Execution vulnerability in a very popular software (20+ million users). The exploit is triggered by opening a single specially crafted link in any web browser–no further input necessary. The exploit can be executed in any domain where we can run javascript and open a websocket connection. Once clicked, code execution occurs via the installed client, completely silently. (In case you’re wondering: It does not trigger protocol handler confirmation dialog either – aka. no “Open Program” prompt is presented.)

Despite repeated follow-ups over several months, the exploit remains unpatched. It’s now been over 9 months and the vulnerability is still present in the production client. Initial responses were inconsistent or dismissive, and at some point, all communication stopped entirely. I’ve gone through all official channels (first email and later HackerOne).

At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety? I would love to hear how others have handled situations where companies refuse to act. Thanks in advance.

Comments

rvz•1d ago
Sell or trade the 0day elsewhere.
ycombinatrix•1d ago
They're obviously not interested in fixing it. The question is, are you going to sell it, or save 20 million people?
dsekz•1d ago
To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.
baobun•1d ago
> At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety

Given context, sounds like you should have gone public half a year ago. Some people think you should to give them a heads up first ("this will go public in 20 days") but this is up to you. At 9 months without follow-up you owe them nothing and it is clear that they are malicious.

dsekz•1d ago
You can look at my previous answer:

> To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.

Tesla share plunge amid Trump feud wipes $152B off Elon Musk's company

https://www.theguardian.com/technology/2025/jun/05/tesla-share-drop-trump-musk-feud
1•beardyw•3m ago•0 comments

Australian Navy ship accidentally blocks WiFi across parts of New Zealand

https://www.theguardian.com/australia-news/2025/jun/06/australian-navy-ship-accidentally-blocks-wifi-across-parts-of-new-zealand
1•defrost•10m ago•0 comments

OpenBSD Hackathon Japan 2025

https://rsadowski.de/posts/2025/j2k25-japan-openbsd-hackathon/
1•damir•10m ago•0 comments

MLX-based LLM inference engine for macOS with native Swift implementation

https://github.com/Trans-N-ai/swama
1•jovezhong•15m ago•1 comments

Second ispace craft has probably crash-landed on Moon

https://www.nature.com/articles/d41586-025-01751-3
1•politelemon•17m ago•1 comments

The Automaker Wars No One Talks About

https://www.carsandhorsepower.com/featured/the-automaker-wars-no-one-talks-about-niche-competitions-in-weird-segments
1•Anumbia•18m ago•0 comments

How Anthropic teams use Claude Code [pdf]

https://www-cdn.anthropic.com/58284b19e702b49db9302d5b6f135ad8871e7658.pdf
1•ChrisArchitect•20m ago•0 comments

I Learned Rust in 24 Hours to Eat Free Pizza Morally

https://medium.com/@sebastiancarlos/i-learned-rust-in-24-hours-to-eat-free-pizza-morally-28ea8312e523
1•todsacerdoti•21m ago•0 comments

OpenAI CEO Sam Altman says AI is ready for entry-level jobs

https://fortune.com/2025/06/05/openai-ceo-sam-altman-ai-as-good-as-interns-entry-level-workers-gen-z-embrace-technology/
2•01-_-•25m ago•1 comments

Google confirms more ads on your paid YouTube Premium Lite soon

https://www.neowin.net/news/google-confirms-more-ads-on-your-paid-youtube-premium-lite-soon/
2•01-_-•27m ago•0 comments

Germany: Digital Minister wants open source etc. as guiding principle

https://www.heise.de/en/news/Digital-Minister-wants-open-standards-and-open-source-as-guiding-principle-10414632.html
2•donutloop•27m ago•0 comments

Musk says SpaceX will retire Dragon spacecraft amid bitter Trump dispute

https://www.theguardian.com/us-news/2025/jun/05/elon-musk-spacex-dragon-trump
1•rene_d•28m ago•0 comments

AI agents are turning Salesforce and SAP into rivals

https://www.economist.com/business/2025/06/05/ai-agents-are-turning-salesforce-and-sap-into-rivals
1•petethomas•29m ago•0 comments

Ask HN: Running AI agents in isolated environments

1•polycaster•30m ago•0 comments

Sir Demis Hassabis on the Future of Knowledge – Institute for Advanced Study [video]

https://www.youtube.com/watch?v=TgS0nFeYul8
1•goplayoutside•35m ago•0 comments

Launching a simple AI Image generator app as a 17 y/o

https://www.imagation.com
1•donvchu•36m ago•1 comments

Who wrote the Bible? A pioneering new algorithm may shatter scholarly certitude

https://www.timesofisrael.com/who-wrote-the-bible-a-pioneering-new-algorithm-may-shatter-scholarly-certitude/
3•names_are_hard•37m ago•1 comments

Copilot Chat now supports attaching references using the symbol

https://github.blog/changelog/2025-06-03-copilot-chat-now-supports-attaching-references-using-the-symbol/
1•e2e4•37m ago•0 comments

Volumetric deformable terrain using three.js/webgl

https://twitter.com/sea3dformat/status/1930493486639235581
1•ToJans•40m ago•0 comments

Twenty Years of TiddlyWiki (2024)

https://tiddlywiki.com/#History%20of%20TiddlyWiki:HelloThere%20%5B%5BQuick%20Start%5D%5D%20%5B%5BFind%20Out%20More%5D%5D%20%5B%5BHistory%20of%20TiddlyWiki%5D%5D%20%5B%5BTiddlyWiki%20on%20the%20Web%5D%5D%20%5B%5BTestimonials%20and%20Reviews%5D%5D%20GettingStarted%20Community
9•Tomte•41m ago•2 comments

Floss/Fund Backs the Future of Internet Security

https://openssl-foundation.org/post/2025-06-04-floss-fund/
1•vishnumohandas•44m ago•0 comments

Using 'Slop Forensics' to Determine Model Ancestry

https://www.dbreunig.com/2025/05/30/using-slop-forensics-to-determine-model-ancestry.html
2•iamflimflam1•46m ago•0 comments

Homeless but self taught full stack developer

3•crlapples•52m ago•6 comments

Crypto's New Bailout Fund: Your Savings Account

https://www.levernews.com/cryptos-new-bailout-fund-your-savings-account/
3•miles•54m ago•0 comments

Switch 2 rooted on day 1

https://bsky.app/profile/retr0.id/post/3lqtwrndzf22w
17•mdtrooper•59m ago•6 comments

Token Visualizer to analyze and optimize your LLM prompts for cost andefficiency

https://github.com/Mattbusel/Token-Visualizer
2•Shmungus•1h ago•1 comments

Destiny – iOS app that works with Magic Wormhole and Wormhole William

https://apps.apple.com/us/app/destiny-secure-file-transfer/id6444721954
3•rahimnathwani•1h ago•3 comments

Founding PM / Co-Founder for FilFlo (AI-Native Fulfilment SaaS)

https://filflo.in/
1•profvyas•1h ago•1 comments

Microsoft backed AI startup pretending to be AI filed for bankruptcy

https://www.windowscentral.com/microsoft/builder-ai-collapse-microsoft-backed-fake-ai-services
1•jayaprabhakar•1h ago•1 comments

Vibe Coding: Where it works and where it doesn't

https://sachin.devicion.com/blog/vibe-coding-where-it-works-and-where-it-does-not
1•sachin_rcz•1h ago•0 comments