There are a few avenues I don't hear people talk much about using, which I think would be far more effective and appropriate, without the ethical issues of public disclosure (which I think is rarely ever justified). I'd strongly urge anyone to exhaust all these avenues before even considering the typical public disclosure of a flaw's vulnerabilities. I have a hard time thinking of ANY circumstance in which it would be ethical to publicize an unfixed flaw before there is clear evidence someone else is already exploiting it.
- 1. Try to notify technical contacts, who can most efficiently and cheaply understand and fix the problem, with the least embarrassment or hassle.
- 2. Notify the legal department, outside counsel, accountants or auditors. They are responsible for dealing with risks to the company, and to certifying proper controls over financial or customer information.
- 3. Try to notify executive management directly.
- 4. Contact government and other regulatory or certifying bodies, such as PCI (for anyone handling credit cards), SEC (for public companies), FTC, Better Business Bureau, Chamber of Commerce, etc.
- 5. Report it to CERT.
- 6. If you're a customer, (politely) threaten to take your business elsewhere (or actually do it), or have your attorney send them a letter threatening to sue for putting your information or money at risk. You could threaten to make it a class action too. (Note that you'd need to be an affected customer to have standing to sue.)
- 7. Any public disclosure you may be tempted to make, go through a news organization, who will verify the information, contact the company for comment, and weigh the ethical pros and cons of how to tell the story effectively without revealing so much information as to do harm. Some "on your side" segments on local TV news might work well for this.
- 8. If you want to publish or comment publicly yourself, consult your attorney, and limit yourself to saying that there is a vulnerability, but not any details about it. But you can particularly publicize the company's (non-)response to it.
- 9. If you can document that someone else is already exploiting the flaw, you could report on the exploitation that's occurring, without being the one to expose the vulnerability.
- 10. And of course once the flaw is fixed, you could discuss it more widely as well.