What happens when you responsibly disclose a critical vulnerability exposing personal data - including that of minors - and the organization responds with legal threats instead of a thank you?

Lobsters.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I’m personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn’t believe it hadn’t been exploited already.

I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.

This is the story of what happened when I tried to do the right thing.

  • DeebsterEnglish
    35·
    1 day ago

    Disgraceful, old-fashioned actions from the unnamed diving certifiers insurer - and, as the major diving insurance company (based in Malta) is DAN World Insurance Group SP, it’s clear that DAN puts their reputation above child safety.

    (edited out misdirected finger pointing)

    I would add that I’m not sure 30 days is “generous” given that 90 days is somewhat standard, but given that it took only two days for a lawyer’s threats to arrive that’s not too relevant.

    • Leeks@lemmy.worldEnglish
      17·
      2 days ago

      It is a “Diving insurer” not a “diving certifier”. This is likely DAN, since he is a PADI instructor and PADI pushes DAN.

      • DeebsterEnglish
        8·
        2 days ago

        You’re absolutely right, I’ll edit my comment. Thanks for the catch.