I don't want to mention names right now or go into too much detail, but I have found a vulnerability in an open-source application that could be exploited to financially damage those who run it. I have tested this myself under various setups and confirmed that it works.<p>I contacted the developers about the issue, including versions affected, the exploit, and the fix. Within 5 minutes, I had a response saying, in effect that they "cannot be responsible for the user not knowing".<p>I'd submit a fix myself, but there's no place to do so. It's an open-source app but you cannot commit publicly. I want them to fix this because it's an extremely simple patch, and the potential damage resulting from an exploit would be crippling.<p>If I blog about it, or otherwise publicly post details, people could get hurt. If I don't, the developers have no reason (or rather, motivation) to fix it.<p>Advice?
The EFF has a nice FAQ on this that you might find useful:<p><a href="https://www.eff.org/issues/coders/vulnerability-reporting-faq" rel="nofollow">https://www.eff.org/issues/coders/vulnerability-reporting-fa...</a>
By hurt I assume you mean financially and not that anyone will be physically harmed. If you've done due diligence by contacting the developers I think you have a responsibility to make it known what you have found so that others can put pressure on to fix it. Just my .02
Maybe a logical "2nd step" for you would be to disclose that you've found a substantial bug that could "financially harm users" if exploited...but don't actually share the exploit. Post that you've contacted the developers as of <date> and will give them X-days to resolve the issue.<p>Now, as for that final step...that's up to you. Not sure the legal ramifications for sharing the exploit, or frankly, what the benefit to the community would be. I think your goal should be to put pressure on the developers, but not to actually expose the threat. If they never get around to fixing it, you've just potentially screwed the community (not to mention those that might never see the update).