I wrote a blog post over at my employer’s blog called “Don’t make it hard for me to do the right thing“. You should read it.
I’m not going to post the full text over here for the sake of not having duplicate content on the web. However, I just want to say that the entire process was not only hugely frustrating, but extremely rewarding. The following assumes that you’ve read the link above.
That post morphed from a detailed one listing how the vulnerability was executed to a story about the ethics of reporting. It was extremely difficult to keep the detail out of the post while still providing good context. It also helped the have a few amazing editors looking at it to make the story flow better and be more smoothly told.
The original XSS bug I found was that you could comment as anyone you wanted to on the first newspaper site, but that quickly turned into posting executable javascript as a username and potentially doing whatever I wanted to.
In the first response from the CRM after reporting the vulnerability not only did they blow me off and treat like I was one of their clients, but they feigned responsibility for any of it and put it back on me (the apparent client) to fix templates. This tells me that they KNEW ABOUT IT but only offered tips on how not to do it.
I almost gave up at that point, but this was after I’d already started communications with the sites that were vulnerable therefore I already had a relationship in place with people that this actually affected and I wasn’t going to cause more work for them by giving up. That, and I’d promised not to go public with anything until they had a chance to fix it.
The final contact to the CRM was just plain out of boredom. I was desperate because a plea to the sales channel, the online chat that no one is ever online with (even during business hours) and calls to the support/sales lines since they’re one-in-the-same.
I’m still glad I waited. I’ve got some decent new contacts.