Been trying to contact them for 8 months.
2020/07/09 - Tried to have a contact with them. I used Twitter Proof but it feels like they’re not using that account anymore.
2020/07/13 - Reported to Hackerone, hopefully they will find a way. (Texted me two messages and then I got ghosted, participant has been removed.)
2021/04/17 - Second try with Twitter and contacting devs or admins via name.com
This looks pretty abandoned, 8 months is wild.
Is it a remote unauthenticated vulnerability? If so, don’t just drop it wild.
Is it site-specific?
In anycase, you can submit an abuse case to [email protected] who is the domain registrar and notify the registrar that this domain is running vulnerable software and may be used to send fake spam if left unfixed.
Secondly, have you tried this? Contact Domain Owner | Name.com
Is it leaking PII? If so you can submit CERT CISA report: Incident Reporting System | CISA
Got it. Thank you for the information. Tried everything besides “Incident Reporting system | CISA”.
Thank you again for the help. Gonna update this thread whenever I get some feedback.
Good luck with the CERT CISA. Reported 25,000+ PII leak impacting GDPR, HIPAA, and GLBA. Still havent heard back.
My recommendation would be to use Hunter dot IO and look up contacts through there or through Crunchbase.com or a
Google dork:
site:linkedin.com/* OR site:hunter.io/* OR site:crunchbase.com/* intext: [domain] AND intext: * Security * OR intext: *[domain]
This should absolutely lead you in the right direction. The problem with CERT is they are very slow to respond, companies (a lot of them teach us what we know), if they are located in the US, DHS rarely responds, and if they are located in the US, look up their local SBI or FBI office. Additionally, and there may be better people than me to speak on this, but if they have a single client in the EU, if you are for instance, or a single vendor they fall under GDPR guidelines. This can be reported directly to those that oversee GDPR. I would send a final email letting the company know what you are doing in terms of the agencies reported to, for your sake mainly. If this ever does go to court, you want to make sure all your searches, logs, IP’s used, everything are stored, hashed regularly and backed up on a cold backup, nothing like cloud services because a big company’s attorney will tear that apart with the “public cloud argument”. I hope this helps!
I would also tweak the above dork in whatever what works for you. It feels like Google has changed some things recently. But that one is also off the top of my head and may return way too much information based off the domain you are talking about. “Careers” “Architect” “Auditor” “Vendor Relations” things like that are good job titles to look for.
Checking in @jackrendor - Are we able to close this off as solved, or are you still needing help connecting here?