A $1.5B company ignores a critical RCE for 9 months?

Question

Last year, I disclosed a one-click Remote Code Execution vulnerability in a very popular software (20+ million users). The exploit is triggered by opening a single specially crafted link in any web browser&ndash;no further input necessary. The exploit can be executed in any domain where we can run javascript and open a websocket connection. Once clicked, code execution occurs via the installed client, completely silently. (In case you&rsquo;re wondering: It does not trigger protocol handler confirmation dialog either &ndash; aka. no &ldquo;Open Program&rdquo; prompt is presented.)Despite repeated follow-ups over several months, the exploit remains unpatched. It&rsquo;s now been over 9 months and the vulnerability is still present in the production client. Initial responses were inconsistent or dismissive, and at some point, all communication stopped entirely. I&rsquo;ve gone through all official channels (first email and later HackerOne).At what point does &ldquo;responsible disclosure&rdquo; allow for going public, even in a limited, non-technical way, for the sake of transparency and user safety? I would love to hear how others have handled situations where companies refuse to act. Thanks in advance.

baobun · Accepted Answer

> At what point does &ldquo;responsible disclosure&rdquo; allow for going public, even in a limited, non-technical way, for the sake of transparency and user safetyGiven context, sounds like you should have gone public half a year ago. Some people think you should to give them a heads up first ("this will go public in 20 days") but this is up to you. At 9 months without follow-up you owe them nothing and it is clear that they are malicious.

ycombinatrix · Answer

They're obviously not interested in fixing it. The question is, are you going to sell it, or save 20 million people?

rvz · Answer

Sell or trade the 0day elsewhere.