Let's say you recently discovered some major vulnerabilities in a couple of web sites that activate mainly in your country and are very powerful in their market. The vulnerabilities I'm talking about are as worse as letting me browse the admin interface with superadmin privileges.
What would you do now? I'm thinking of something like:
- Report the problems to the company
- Publicly announce that there are security holes in those applications, but without disclosing the actual exploit
- Give the company time to fix its problems. (How much?)
- After the problem has been fixed, or the grace period for fixing has passed (whichever comes first), fully disclose the vulnerability
What do you guys think? Do you have some materials to read about this or experience to share?