I found a Vulnerability. They found a Lawyer
3 hours ago
- #GDPR
- #Cybersecurity
- #Vulnerability Disclosure
- A diving instructor and platform engineer discovered a critical vulnerability in a major diving insurer's member portal during a dive trip.
- The vulnerability involved sequential numeric user IDs and a static default password, exposing sensitive personal data, including that of minors.
- The researcher responsibly disclosed the issue to CSIRT Malta and the organization, following standard 30-day embargo practices.
- Instead of gratitude, the organization responded with legal threats and an attempt to silence the researcher with an NDA.
- The vulnerability was eventually fixed, but the researcher questions whether affected users, especially minors, were notified as required by GDPR.
- The incident highlights a common pattern where organizations prioritize reputation over security and transparency.
- Recommendations include having clear vulnerability disclosure policies, thanking researchers, and not blaming users for security failures.