Hacker News new | past | comments | ask | show | jobs | submit login

I do wonder how you got in contact with them? No security.txt or other obvious ways to report a security issue.



In the footnotes:

> Someone once asked me, as commentary on my ability to figure out email addresses, “Are you a Hacker or in sales?”

Just a bit of OSINT and educated guessing.


It's pretty easy to get in contact with someone most of the time if you search for relevant roles on google with site:linkedin.com, or if you want to reach execs, on their business pages. I usually include several combinations of first and last names @company.com so like I will email to JSmith@company.com and JohnSmith@company.com and others. This is useful for escalating customer service complaints if you're just hitting a brick wall with the low level customer service staff.


AFAICT there's no longer any actual humans reading mail sent to any domain's postmaster@insert-domain.here, even tho it is required by RFPs.


Yeah, this is pretty much what I did, except the demo account had an employee's email address in the details so I knew the format.


They do have a vulnerability policy page, but that was harder to find than figuring out an email address. I did suggest they implement security.txt, as it would have made things easier.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: