While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I’m personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn’t believe it hadn’t been exploited already.
I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.
This is the story of what happened when I tried to do the right thing.
The influential people in society have demonstrated and set the examples for everyone to never admit a mistake, and if you cheat or hurt someone, to blame them, and to assassinate their character. Lie, trash their character, accuse them of cheating you, etc.
It works too, people trust the more successful party. If you are some lower wage client of a company, and they are a successful internet company, people will give that company the benefit of the doubt. They will believe the rich guy that cheated you in his slander to make you the bully.
Tbf, that’s most business asset security SOP.