Responsible disclosure

[eevee]

I released my post-FA-debacle list of security vulnerabilities 23 days ago. Since then, only one person on FA staff has approached me about the list; this person is neither a technical contact nor a high-tier administrator, and he only asked vaguely about the admin panel CSRF exploit

Comments

[eagle_bird]

It depends on whether you -want- to tell them or not.

If so, I imagine the best thing to do is put your information together in some sort of at least semi-formal manner and present it to "FA". If they do something about it, great, if they don't, oh well. Maybe then your course of action could be to publish this stuff somewhere, details and all. Someone will undoubtedly use it against the site and maybe that will convince them to fix it.
Ethically, the latter probably isn't the best idea since it involves people not directly responsible for the issue(s) at hand, e.g. users of the site or anyone that picks up the details about the exploits. However, making an honest attempt to present those details to an entity capable of patching the exploits is The Right Thing to Do™. The key is to divulge this information in such a way as to reduce or eliminate enlightening anyone that can't or won't be involved in resolving the problems.

If you're an "enterprising party" that would be interested in exploiting these things, it's a choice that's up to you. Do you help yourself, or do you follow your moral code and tell them the problems? (If you feel morally obligated to that is.)

Don't offer to help aside from giving details about the problems. From what I understand you've got plenty to entertain yourself, and FA doesn't seem to want your help; you're much better off investing time and effort in problems of your own, like furthering your work on floof.

I feel like I'm rambling though, so I'll leave it at that. You know where to find me if you want to bounce ideas off me or question what I might do.