If you run any kind of webservice, you should set up a security@yourdomain.com email address, display it prominently on your website and make sure it gets read by an employee with a technical background.<\/p>\n
Not convinced? As a case study, check out this post on HackerNews<\/a>. The OP said he had tried to report a security vulnerability at a messaging and voice services provided, but nobody would listen to him.<\/p>\n The suggestions ranged from full-disclosure to emailing the CTO. I pinged the official Twitter account of the company with a link to the thread, but they brushed it off. Ironically, the company even advertises their service as a security solution on their Facebook page.<\/p>\n After about two hours, a member of the ops team finally chimed in on HackerNews and the issue got addressed. A little later, they also got back to me via Twitter. But the damage was done: people started telling stories of unrelated bad customer service experiences and one person said they are going to evaluate a competitor.<\/p>\n With a security contact prominently visible on the website, the whole thing could have been avoided.<\/p>\n","protected":false},"excerpt":{"rendered":" If you run any kind of webservice, you should set up a security@yourdomain.com email address, display it prominently on your website and make sure it gets read by an employee with a technical background. Not convinced? As a case study, … Continue reading