2025-03-17: I report a critical vulnerability (trivial, complete 2FA bypass) to a well-known company’s security email alias. No reply.
2025-04-07: I report it again to their bug bounty program.
2025-04-09: They close it as a duplicate.
Their bug bounty program says, basically, “we never disclose reports. Don’t discuss them with anyone.”
23 days into this episode, I’m starting to weigh the responsible thing to do here.
Teknique is my middle name /
npub13e…clhjj
2025-04-09 21:57:38
Author Public Key
npub13e30hnrpg768tslwwjveafaazctk7ghf9va2se2k4ygr8cj24veshclhjjSeen on
wss://relay.mostr.pubPublished at
2025-04-09 21:57:38Event JSON
{
"id": "61142c17749f98cb4d9726c169e6dc9789c49f2c2b402aed46c311dcbd8a8349",
"pubkey": "8e62fbcc6147b475c3ee74999ea7bd16176f22e92b3aa86556a91033e24aab33",
"created_at": 1744235858,
"kind": 1,
"tags": [
[
"proxy",
"https://freeradical.zone/users/tek/statuses/114310241196885957",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "2025-03-17: I report a critical vulnerability (trivial, complete 2FA bypass) to a well-known company’s security email alias. No reply.\n\n2025-04-07: I report it again to their bug bounty program.\n\n2025-04-09: They close it as a duplicate.\n\nTheir bug bounty program says, basically, “we never disclose reports. Don’t discuss them with anyone.”\n\n23 days into this episode, I’m starting to weigh the responsible thing to do here.",
"sig": "acbebb6baa1bd15eca0231856c03b0bf33a4e6067b3e05704fb757fb85806573fc8477a039cab464f599c39c42ba15b689cbfe919b065b1e1bf9bfce13ea6acf"
}