Confirmed this today and reported it.

Essentially, the vulnerability in the tool is that *in a specific circumstance* - which is that person has an existing account in the product from a previous employer (which many people do, since its so widely used), all you need is their personal email address.

With that you can address, without any further interaction from the victim, the tool will give you their:

- date of birth
- ssn
- last known street address
- phone number

It’s been 5 months now.

I submitted this issue through a managed bug bounty program.

The vendor acknowledged it pretty quickly (within 12 hours), but I’ve had little info since then. It sits open in the queue. The labels “P1” “Critical” and “Unresolved” adorn the bug bounty tracker UI.

The company that manages the bug bounty has been unable to get them to respond.

A reminder that if you are going to do a bug bounty, you should do it properly.

so i get daily emails from Bugcrowd on this now.

Basically they are saying, “we have been unable to get a response from the customer - we’ll keep trying.”

so i suggested that they just cut off their customer from receiving further submissions if they aren’t responding and seemingly just want free pen testing. simple.

ah but then they wouldn’t get paid…