Quote Quoting Losik
View Post
free9man, yes, you right - it's on them. But there is a circumstance. If I create an account or use service of the website - its security is not just their business from this point, is it? Imagine that - you figured out that your bank has luck of security and anyone can see all of your old transactions. Doesn't it make your business as well?
But it is NOT your business to publicize how to exploit the vulnerability. If you do business with them and they do not fix it, stop doing business with them. Easy solution and the one I would use, as well as telling anyone I know not to use them. Not everyone can see the old transactions, only those who take the time to identify and exploit the vulnerability. You could go so far as to make vague references to a vulnerability in the site but even that is dangerous as it will invite the criminal hackers to find it.