How to be taken seriously when doing responsible disclosure?

Question

Last week while reading an article on a website the URL ending in .php?id=1 it just asked to be tested for SQLi. When I confirmed that it was vulnerable I also found out that there was no user input filtering and a simple "<script>alert(1)</script> was possible.

When looking for a contact email to report the vulnerability I only found addresses for specific departments, like [email protected].

Since I did not want to just send the vulnerability report randomly I called the company, explaining that I found a problem in their website and that it would be a good idea to get it fixed. I explained that I would like to get in touch with someone from IT or someone who has any relation to the people that maintain the website.

The person on the phone got quite aggressive, told me to take a hike (used a bit less friendly language) and told me I had nothing to do with their IT department of website.

How can I convince people about the importance of a vulnerability and the disclosure when they are not familiar with IT? Especially when no email contact is possible?

FYI, I believe I was very polite and calm on the phone.

Answer 1

The ground rule is, if a website does not have a responsible disclosure policy any security team looking after their public resources is an indication that they neither care about the security of their resources nor they are going to consider any report from a random person yet. If I find some major issues in certain major company's website, I would report it through right communication channel and remind them couple of times and that should be it.

The person on the phone got quite aggressive, told me to take a hike (used a bit less friendly language) and told me I had nothing to do with their IT department of website.

You are a nobody and he is right. I guess he's not aware of things like bug bounty, independent security researcher. So it is hardly likely he's going to honor anything coming out of you. There have been numerous cases where the website owners got pissed and created problems for the researchers. The wise thing to do here is just let go and look for somewhere else where your efforts are appreciated. They have no written policy or procedure which can defend you if they were to ask you why you generated such malicious traffic on our website.

How can I convince people about the importance of a vulnerability and the disclosure when they are not familiar with IT? Especially when no email contact is possible?

The convincing in this case is to be done to the respective person and here you have no contact. You can't randomly go explaining the bits of weakness of their website to the guy who picks up the phone or sending the report via social media channel like Facebook. This would not be responsible disclosure.

The right thing to do is ask for their security team's contact information on their official contact email without explaining the issue. If you do get an official response then act accordingly otherwise they don't care and so should't you. You can send two or three polite weekly reminders and that's it.