Hello, I think you chose the right list for such a question. I have had various experience working with different companies in this field - I've led HACKPL Security Dep., and we receive plenty of information about various security issues. I think it is quite common that companies try to behave as if nothing really happened, or as if the issue wasn't that important. From my experience, huge a lot of companies fail to inform their clients of problems when the issue is patched. If you want to make the information public, make sure everything is _really_ patched, then ask the company to inform their Clients (if they don't want to act so). If the company says: 'Nothing baaad really happened. This and this could be done. Our clients are safe thanks for Our Gosh-So-Perfect Security Program. Thank You for sharing information with our Security Team.' then, in my opinion, you are free to inform the public what really happened as you intention was to bring true information to public in order to make the community safer and _aware_ of the problem. (I would first inform the company of my plans, and if they didn't change their decision, I would reveal the information about the issue).The issue might have affected many people, and people have full right to be aware of eventual problems. Finally, not only do many companies fail to react properly, but also fail to act at all. I have experienced many situations when I informed of the problems many times, and there was no response. Fortunately, the majority of serious companies solves the problems and treats clients with enough respect (to inform of the problem). One more thing, if you feel like skating on thin ice, provide additional information on my personal email: michal.bucko <at> eleytt <dot> com. I think we could find a good solution for your problem. Before writing, be sure to check on the legislation in your country (it would be nice if you had any lawyer friend who could advise you) Cheers! mb
