HN Reader

Learning Elvish (but not the Middle-earth one) (nevkontakte.com)

1 points by aleksi 3m ago 0 comments

Mirage: UGC AI (captions.ai)

1 points by handfuloflight 5m ago 0 comments

Running FreeDOS inside a Pokémon Emerald save file (commentated) [video] (youtube.com)

1 points by brokensegue 8m ago 0 comments

Why AI Will Never Be Conscious – Recursive Identity Requires Collapse (osf.io)

3 points by dgaconnet 9m ago 1 comments

End of an Era: Landsat 7 Decommissioned After 25 Years of Earth Observation (usgs.gov)

2 points by keepamovin 22m ago 1 comments

Show HN: WhimpsyAI – I built this to learn something new every day in 10 minutes (whimpsyai.com)

2 points by shivanhupr 23m ago 0 comments

My first attempt at iOS app development (mgx.me)

3 points by surprisetalk 29m ago 0 comments

Engineer Fixes and Re-Installs Old Payphones, Provides Free Calls to the Public (core77.com)

5 points by surprisetalk 31m ago 0 comments

Principles of Flight (cfinotebook.net)

2 points by 1659447091 32m ago 0 comments

The Medical Evidence Project (jamesclaims.substack.com)

2 points by onychomys 34m ago 0 comments

Want to Model a Land Value Tax Shift in Your City? (progressandpoverty.substack.com)

3 points by surprisetalk 34m ago 0 comments

Sydney's sulphur-crested cockatoos spotted using drinking fountains (abc.net.au)

3 points by femto 36m ago 1 comments

Startup Equity 101 (quarter--mile.com)

1 points by surprisetalk 37m ago 0 comments

Amazon to invest $10bi in NC to expand cloud and advance AI innovation (aboutamazon.com)

1 points by zekrioca 37m ago 0 comments

Cursor v1.0 (forum.cursor.com)

2 points by vincent_s 42m ago 0 comments

What Is an AI Agent, Really (agentrank.tech)

2 points by hughmcinnis 46m ago 0 comments

Show HN: I built a Chrome extension to unify debugging for GTM,GA4& 20 trackers (zen-analytics-pixel-tracker.web.app)

1 points by toannc 49m ago 0 comments

PS5 shooter goes from 5 players to bestseller after devs defend game (polygon.com)

3 points by driftsumi-e 49m ago 0 comments

The basics of an indirect threaded code ANS Forth implementation (boston.conman.org)

3 points by ingve 55m ago 0 comments

Cryptography Scales Trust (newsletter.squishy.computer)

2 points by colinprince 56m ago 0 comments

Mastra 101 (mastra.ai)

2 points by nbbaier 58m ago 1 comments

Differences in link hallucination and source comprehension across different LLM (mikecaulfield.substack.com)

3 points by hveksr 1h ago 0 comments

An "ice battery" system is being used to cool buildings and lower energy costs (cbsnews.com)

2 points by addaon 1h ago 0 comments

Using 'Slop Forensics' to Determine Model Ancestry (dbreunig.com)

2 points by pabs3 1h ago 0 comments

It's Not Just Poor Rains Causing Drought. The Atmosphere Is 'Thirstier.' (nytimes.com)

1 points by lxm 1h ago 0 comments

Sodium-air fuel cell to enable electric aviation (news.mit.edu)

2 points by joak 1h ago 2 comments

Economists Raise Questions About Quality of U.S. Inflation Data (wsj.com)

7 points by harambae 1h ago 1 comments

Investors circle the Trump trade's global market victims (November 2024) (finance.yahoo.com)

1 points by thomassmith65 1h ago 0 comments

Deriving the gradient for the backward pass of Layer Normalization (shreyansh26.github.io)

3 points by shreyansh26 1h ago 0 comments

AI as a Financial Market Analyst (monadwealth.com)

1 points by shaduadiale 1h ago 1 comments

Show HN: I made a Custom GPT to help find emails without breaking the bank (chatgpt.com)

1 points by grayfox777 1h ago 0 comments

The Clemson University Vehicular Electronics Labratory (2017) (cecas.clemson.edu)

2 points by nativeit 1h ago 0 comments

Show HN: Top Payment Gateways in Asia (altified.com)

1 points by benedictowusu 1h ago 0 comments

Amazon prepares to test humanoid robots for deliveries, The Information reports (reuters.com)

2 points by aspenmayer 1h ago 1 comments

The Art of SQL Query Optimization (jnidzwetzki.github.io)

5 points by thunderbong 2h ago 0 comments

Panjandrum: The 'giant firework' built to break Hitler's Atlantic Wall (bbc.com)

3 points by rmason 2h ago 0 comments

High-rise forests can transform city life – and make us happier (bbc.com)

2 points by rmason 2h ago 0 comments

Show HN: Website Speed Checker in Bulk (using apify) (apify.com)

1 points by onescales 2h ago 0 comments

Bloomberg Uses Old Tesla FSD Data to Question Robotaxi Safety (gearmusk.com)

4 points by loog5566 2h ago 0 comments

Show HN: I made a 3D SVG Renderer that projects textures without rasterization (seve.blog)

59 points by seveibar 2h ago 7 comments

Ask HN: What's the most overengineered tool everyone uses but won't admit sucks?

10 points by fazlerocks 2h ago 16 comments

SaaS Launch Checklist for the Vibecoding Era (lightrains.com)

3 points by niksmac 2h ago 1 comments

Copilot Spaces: A new way to work with code and context (github.blog)

8 points by yawz 2h ago 0 comments

Standardizing Extended Integers in C++ (2018) [pdf] (open-std.org)

2 points by 12_throw_away 2h ago 0 comments

US science is being wrecked (arstechnica.com)

7 points by xqcgrek2 2h ago 2 comments

Couple has eaten at the same restaurant six nights a week for 15 years (2019) (kansas.com)

12 points by NaOH 2h ago 4 comments

Saying Goodbye (chrisgiven.com)

14 points by ronbenton 2h ago 1 comments

Ask HN: Alternatives to NAT gateways for EC2 instances

2 points by nodesocket 2h ago 5 comments

Autopen Guide (astroautopens.com)

5 points by rolph 2h ago 1 comments

Microsoft 365 Copilot Experiment: Cross-Government Findings Report (gov.uk)

3 points by azophy_2 3h ago 0 comments

Ask HN: A $1.5B company ignores a critical RCE for 9 months?

6 dsekz 5 6/4/2025, 5:10:05 PM
Last year, I disclosed a one-click Remote Code Execution vulnerability in a very popular software (20+ million users). The exploit is triggered by opening a single specially crafted link in any web browser–no further input necessary. The exploit can be executed in any domain where we can run javascript and open a websocket connection. Once clicked, code execution occurs via the installed client, completely silently. (In case you’re wondering: It does not trigger protocol handler confirmation dialog either – aka. no “Open Program” prompt is presented.)

Despite repeated follow-ups over several months, the exploit remains unpatched. It’s now been over 9 months and the vulnerability is still present in the production client. Initial responses were inconsistent or dismissive, and at some point, all communication stopped entirely. I’ve gone through all official channels (first email and later HackerOne).

At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety? I would love to hear how others have handled situations where companies refuse to act. Thanks in advance.

Comments (5)

baobun · 9h ago
> At what point does “responsible disclosure” allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety

Given context, sounds like you should have gone public half a year ago. Some people think you should to give them a heads up first ("this will go public in 20 days") but this is up to you. At 9 months without follow-up you owe them nothing and it is clear that they are malicious.

dsekz · 7h ago
You can look at my previous answer:

> To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.

ycombinatrix · 10h ago
They're obviously not interested in fixing it. The question is, are you going to sell it, or save 20 million people?
dsekz · 7h ago
To clarify, If I disclose the exploit publicly, my concern is that the company could take legal action against me, even if I don’t share any technical details or information that would allow someone to reproduce it. – Something I really don't want to deal with.
rvz · 11h ago
Sell or trade the 0day elsewhere.