When reporting vulnerabilities that I believe could potentially expose an unbridled amount of users to a considerable risk, I usually append the following to my reports (unless its unnecessary to do so):
This vulnerability potentially affects the millions of people who use the internet everyday especially those who have vested interest in your organization and have loaned a certain amount of trust to the affected domain and the content hosted and served from it.
I believe it is the responsibility of myself (and other security researchers) to make users aware of the dangers they are and have been exposed to as soon possible in order to maintain a healthy and realistic trust profile for the everyday internet user. If your company abuses it's popularity and trustworthy reputation by ignoring (not re-mediating) vulnerability reports such as this one it is of utmost importance that this behavior and the related vulnerability be disclosed publicly in order to protect those who trust in your organization.
Because of this, I adhere to the following public disclosure policy when dealing with vulnerabilities like the one being reported here:
- If no contact from your team about the resolution of the above vulnerability is received within 2 days (from the date of initial disclosure to you) a public disclosure will be made.
- If contact is received and no remediation is put in place within 7-8 days from the date of initial contact a public disclosure will be made.
"If you do not protect the public from your mistakes I will protect them from you."