this post was submitted on 21 Feb 2026
150 points (98.7% liked)

Technology

81611 readers
4581 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
150
I found a Vulnerability. They found a Lawyer. (dixken.de)
submitted 5 hours ago* (last edited 5 hours ago) by Beep@lemmus.org to c/technology@lemmy.world
7 comments fedilink hide all child comments
 

Lobsters.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I'm personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn't believe it hadn't been exploited already.

I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.

This is the story of what happened when I tried to do the right thing.

you are viewing a single comment's thread
view the rest of the comments
[–] Leeks@lemmy.world 8 points 2 hours ago* (last edited 2 hours ago) (1 children)

It is a “Diving insurer” not a “diving certifier”. This is likely DAN, since he is a PADI instructor and PADI pushes DAN.

[–] Deebster@infosec.pub 3 points 1 hour ago* (last edited 1 hour ago)

You're absolutely right, I'll edit my comment. Thanks for the catch.