All companies, software, and websites need to have a clear means of receiving information about vulnerabilities. Every application has vulnerabilities and sometimes 3rd parties just happen to see them. I was using a Web App for a local diamond dealer. Clearly they deal with a high value product that should be well protected. While I was browsing the site, I noticed that it appeared to use GET requests to pass item and price information. It turns out that the two aren’t cross verified on the back end — it was possible to change the price. Maybe they have internal processes to verify the price, but maybe not. Likewise, if an evil attacker uses the vulnerability, is the merchant bound to the price they charged the credit card? They also allowed negative prices. Would the 3rd party credit card servicing site happily provide a charge back?

I’ve tried to contact the merchant, but I just can’t seem to get through to anyone that understands the problem. I only want someone that understands the potential problem to be aware of it so that they can accept the risk or go about fixing it. So New Rule, if you have an application (web or otherwise) you MUST have a clear means of receiving vulnerability information.