Ask Slashdot: To Hack Or Not To Hack?
seeread writes "I discovered how to hack into and secure user accounts of a rising mobile payment start-up. Account info includes credit card details and usage. The company has big name financial backing and an IRL presence, but very few in-house developers, and they don't seem terribly concerned about security. Good samaritan that I am for now, I sent them an e-mail explaining the lapse on their part, but the responses I have received thus far are confused, aloof and unconvinced. So, I am wondering: what is the appropriate next step? Should I do a proof of concept? Should I go to the investors, or should I post about it somewhere? The representatives haven't been too receptive, despite the fact that their brand seems to be at risk, not to mention all of those users' credit cards. I almost feel like it's my responsibility to blow them out of the water if they have made it this far while compromising such trusted data. And although I would love to be in the paper, this hack is just too easy for it to be respectable, though I am sure the FBI could still be interested in all those credit card numbers."
Not having broken any laws is very unlikely; worse still it may be true locally, but likely he's broken US law and may be extradited or tricked into a situation where they can get him. Later, when he's had a clear statement from the company that he did the right thing, then that's the time to go to the press. Right now, when he's pretty clearly screwed up, he should be in damage limitation mode.
The fact that the company is giving "confused" and "aloof" answers may be just stupidity, but to paranoid me it suggests a trap. They are trying to get him to do something so that they can accuse him of doing something clearly illegal and have the FBI/CIA get rid of him. The fact he's sent an email suggests he's completely screwed unless he's done that through TOR + an anonymizer service.
What to do
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();