I’m wondering if their thinking was: if they contacted the sole developer, and he perceived it as a threat (whether security or personal livelihood) then the deck is stacked against them when they then have to escalate. The dev has already said “some hackers say they hacked my service” to TSA and kicked the beehive.
I wouldn’t have a clue who to report it to myself; the record of DHS is pretty awful too. Lots of folks are saying (and one even betting on!) them being charged for their find within the next couple of years, and given US federal agencies’ records when it comes to these vulns I’d be quite worried about it too if I had found it.
I wouldn’t have a clue who to report it to myself; the record of DHS is pretty awful too. Lots of folks are saying (and one even betting on!) them being charged for their find within the next couple of years, and given US federal agencies’ records when it comes to these vulns I’d be quite worried about it too if I had found it.