How to deal with a company that doesn't fix (potential) security vulnerabilities in their web app?
Should I give them a second chance
Yes. It is typical to wait several months and communicate several times with the developing company before taking any further action.
If the company has shown that it is not willing to fix the issue, a possible next step is to publicly disclose the issue.
or contact some kind of data protection authority?
This is a good idea. I don't have experience with this, but you could at least inform such an authority what you found and are discussing next steps with the company.
And would you consider these problems/vulnerabilites critical?
No, but it shows that they haven't done anything to secure their systems, so it is likely that there are more serious vulnerabilities.
While these are not super-critical, I'd personally go for a responsible disclosure.
In a nutshell that means that you inform them about the vulnerabilities and also tell them that you will publish those after x days - regardless of wether they fixed them or not.
Google has a 90-day disclosure policy, which seems pretty standard nowadays.
The idea of this is that:
- You give the company a reasonable timeframe to fix things
- You also make them responsible and put the pressure on for a timely fix
You should obviously try to contact their security people directly (if they have any) and assist them if possible. However, if they don't react and don't fix in time, go public. Instead or in addition to publishing, you can contact an appropriate authority - especially if you don't get any reaction.
If this in Europe, they would be in violation of the GDPR for not appropriately securing personal data and if you contact the supervisory authority they would probably move in with fines and some unpleasant questions.
If you wish to remain anonymous, you could also try to contact an established infosec professional and see if they would go public or advise you.
Publishing (even by tweeting) will also have the side effect that you can build a name for yourself.
Can I get in trouble for this?
Of course companies may not be happy about disclosure, and may try to retaliate legally against researchers or journalists.
If you stay within the limits of the law, you can successfully defend against this kind of lawsuit, but that doesn't mean they can't cause major trouble for you.
As far as the law goes: What is allowed or not can be very different in different parts of the world; you need to check what your local law is. Most western countries allow security research, but do not allow you to actually access confidential data or disrupt systems (not even as a proof of concept).
Some options are:
- Remain anonymous when you publish (though you then need to know how to protect your identity)
- Tip off a journalist. They will protect you as a source, but there is no guarantee they're interested in your case
- Tip off the authorities, though there is no guarantee they'll follow up on the case
- Tip off a researcher (or team) who does this professionally. They will have experience and a legal department on their side
- Stick with companies that offer a "safe haven" for security researchers in the first place.
That said, the majority of companies these days seem to appreciate good-faith reviews and many will even give public kudos or bounties.
Note: Some companies offer bounties but in return want you to agree that you don't publish without their permission. It is not uncommon that researchers refuse the bounty rather than to be bound by such terms.