What to do when u see vulnerebility?

Hi @shirshak55 ,

Did you found a security.txt to help you find the good option ton contact them?

Regards,

@maximilien its not an open source project and I have not found any security.txt . Its a big website and I reported it like 4 days ago from message, emails. I sent them detailed report. Even 6 month ago i reported them their website has too many security flaws but they don't even reply or give a shit.

Is there any law stuff we need to know? Because lets say other hacker found it and I am going to be primary suspects right?

The vulnerability looks like they provide service to download passport via xyz.com/passport/1

So but they forgot to protect routes for xyz.com/passport/2 so now user 1 can download user 2.

I am mostly worried about those people data they collected. Now if i publish report other people may misuse till the company fix the issue. But I am just a simple dev and if i can find it there is high probability other has already found it or will find it. Before damage is done I would like to fix it.

The worst thing is like they still run on php 5.3.3. And the company has like 1 million subscriber. I don't understand a big company probably paying less salary probably because in our country Software is usually never given value by most companies.

This is such a frustrating situation and I dont even know what should I do.

are they based in a country that has an information commissioner, or some government department that cares about citizen privacy?

@snapey thanks . I don't think Nepal government even care about privacy stuff.

if they have twitter/facebook, shaming them on it should get them to do something.. otherwise if you can see/download users list, u could email them all (or at least some).. what site is this?

Laravel is secure when RBAC is setup right.

But I'm just afraid this happens often due to new folks not properly learning RBAC.

I see where many here think authentication is enough, but they never learn how to properly verify an id in the url does indeed match the Auth::id().

They set up their routes and think they are good to go.

RBAC takes time to properly setup. Any framework (including just php) is insecure when a new to programming person is suddenly (in their mind) an expert in a week.

But contact site owner and let them know.

I am not sure what your reply has to do with what OP is trying to do?

HI,

If they Play deaf, I understand your frustration.

Another tip I can give you, as there is some national identity documents involved, is to contact local CERT here an example for Nepalese CERT.