I have successfully discovered a vulnerability in the New York Times website. Is there any known way I can report this? I have not attacked it. But I found a bypass. What should I do?
Asked
Active
Viewed 321 times
2 Answers
3
They do not have a specific security contact listed, so you should email help@nytimes.com and ask for your message to be forwarded to their IT security department.
Polynomial
- 135,049
- 43
- 306
- 382
-
Thank you I sent the email to them. Im wating. Also trying to contact them via linkedin but it is difficult – Mar 21 '19 at 19:25
-
1@LuisCarlos You'll almost never get good results from trying individual back-channels if you haven't first tried official channels like their standard contact point. – Polynomial Mar 21 '19 at 19:25
-
Of course I have never done this. So I'm asking the ethical way.Thank you for the help. – Mar 21 '19 at 19:26
-
I have found this in all the majority of the websites... Strange.... – Mar 21 '19 at 19:29
-
7@LuisCarlos Are you sure it's a vulnerability then? What kind of vuln is it? – forest Mar 21 '19 at 20:26
-1
I see that my answer is too late, but I'm going to give it anyway because I believe it will be useful to others, although likely Controversial.
Do not report vulnerabilities by identifiable or traceable methods!
In a reasonable and rational world, the recipient of your vulnerability report should thank you, unfortunately that is more often not the case. The more common response is to accuse you of hacking their system. People have been arrested for things as simple as changing a parameter in a URL. "Shoot the messenger" is alive and well.
If you can't report it anonymously, don't report it at all. Stay well clear and tell no one.
I assure you, I know what I'm talking about.
user10216038
- 8,123
- 2
- 18
- 22
-
1
-
-
-
1"I assure you, I know what I'm talking about."; why does that leave me less-assured than i would be not having read it? – dandavis Mar 22 '19 at 19:53