How long should one give for a website to fix their security flow before warning their customers?
Corollary: How should it be done since I can't reach out to their customers?<p>Background:
The hack is simply changing the id variable in the url.
It's a serious bug as you can view some of my photos from my various social networks.
This could be detrimental to the VC backed company as they just did a Groupon-type deal (which is how I came to be a customer).
Send a high priority email to their customer support (or alike), wait 24 hours, if no response is received then tell the customers (blog post? forum thread? hnews/reddit?).<p>If response is received wait a week or so and, again, check for the existence of the exploit.