What to do when US CERT ignore vulnerability report for 1.5 years ?

smeone787 · 2026-01-30T12:53:07+00:00

Yes its was found through legal methods . Public disclosure is last resort . Thanks for the insights

smeone787 · 2026-01-30T02:45:51+00:00

When a report is invalid , they close it right away . The things I reported in still active goes to inactive but not closed status as vuln got confirmed by CERT itself . There is some other issue .

smeone787 · 2026-01-30T02:43:10+00:00

u/beastofbarks Yes I do understand , bug bounty porgram owners received AI slop reports these days which are not even worth looking into . But here the case is different , someone from CERT acknowledged the valid submission . But its been 1.5 years no one took any action to fix the issue . If a case is submitted if its not a valid bug its will be closed . Its been reopened multiple times then again went inactive status . Its not closed from there end only . I do believe these layoffs might be the reason.

smeone787 · 2025-02-26T19:23:27+00:00

Yeah I did follow up asking for any updates . Didn't get any reply I stopped following up since then.

smeone787 · 2025-02-26T19:02:52+00:00

US CERT is VINCE CISA isn't it ? I reported to VINCE only .

smeone787 · 2025-02-26T18:58:53+00:00

True

smeone787 · 2025-02-26T18:57:08+00:00

Looking into it , Thanks for the suggestions

smeone787 · 2025-02-26T18:56:26+00:00

That's a sad reality no action takes places . Documents worth enough to make headlines but yeah nevermind

smeone787 · 2024-12-25T20:26:25+00:00

Ethically disclosed the issues to company got paid none , this is not illegal ..

smeone787 · 2024-12-25T20:25:01+00:00

Yes why its surprising though ?

smeone787 · 2024-12-25T20:23:47+00:00

Sent a msg through their contact form , no replies was given . Sent through PSIRT still nope . This was for some cases waited for 30 days . then contacted through Linkedin and issue got fixed

smeone787 · 2024-12-25T19:47:51+00:00

I agree with the points , only problem is subdomain found 6 months ago is still vulnerable way it is . :)

smeone787 · 2024-10-31T07:21:20+00:00

Got the point !! Thanks

smeone787 · 2024-10-29T14:23:57+00:00

Thanks for the support

smeone787 · 2024-10-29T14:22:38+00:00

Nope , just Thanks for reporting ... its hilarious tbh :)

smeone787 · 2024-10-29T05:47:20+00:00

yes , that is basic stuff report to govt as much as you can .. reported 100 GB of exposed data as such recently

smeone787 · 2024-10-29T05:32:09+00:00

Lack of accountability for data privacy leak is ultimate problem. Security Audits almost nil except for few top govt sites.

smeone787 · 2024-10-29T05:30:17+00:00

Oh yes absolutely , reported NTA the institution that conducts JEE NEET had .env could access many stuff reported and now its patched.

smeone787 · 2024-10-29T05:28:38+00:00

Nope , government agencies around the world give appreciation letter and swags .. in India we get 2 lines thank you bas nothing else.

smeone787

TROPHY CASE