While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I’m personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn’t believe it hadn’t been exploited already.
I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.
This is the story of what happened when I tried to do the right thing.
That’s a crazy story. Glad you didn’t get caught up in their incompetence. Do you still do business with them?
Nah, once I moved jobs and started holding nontrivial amounts of retirement and TFSA stocks I opened accounts with a new broker.