I recently purchased an item directly from a brand # (in comparison to amazon or resellers) and found an IDOR that gave access to all their invoices. I didn’t blog about it, didn’t go to the media, didn’t “@“ company to DM me. I just emailed their support@ & DM’d then on Twitter
I started the email with “I’m not doing this for compensation or to threaten your team, I just want to make sure my PII stays safe” and sent them the details and luckily heard back from them within a few days.
If you accidentally find a bug, don’t be a dick. When you go to the media and make a scene, the engineers don’t deal with the whole thing.. you’re also causing extra work for their PR teams and people that had nothing to do with the vuln.
If they’re not inviting you to look at the products, you shouldn’t be poking at them and then get pissed off that you didn’t get a shiny star for something you shouldn’t be doing in the first place.
You can follow @NahamSec.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more