Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Should I report ESTA (esta.cbp.dhs.gov) security bug? How?
3 points by dandare on May 21, 2019 | hide | past | favorite | 3 comments
While filling out the ESTA application at https://esta.cbp.dhs.gov/esta/application.html, after the form refreshed I was suddenly shown someone else's personal information.

I reported the security bug via https://help.cbp.gov/app/forms/complaint but I got a totally irrelevant response, no human probably read my message.

I would like to genuinely help the devs behind the site but I am also concerned about retributions from egotripping CBP officers. What are my options?




First entity that comes to mind that might be in a position to at least get the right eyes and attention to it, if not outright resolve it would be 18F[1]; that's just a guess-though this seems right up their alley. I believe there are a couple of employees here on HN.

https://18f.gsa.gov/


If there's not an obvious security contact at the agency, you can always report vulnerabilities to US-CERT, which has overall responsibility for connecting reporters to the right responders. https://www.us-cert.gov/

This links to the report form at https://www.kb.cert.org/vuls/govreport/

As with all vulnerability reporting, it's much more likely that someone will take action on your report if you can provide evidence or a reproducible proof of concept.

18F/TTS can sometimes direct reports to the right place, but it's really not their job to do so.


Some US Digital Service folks know people at DHS CIO and passing this on.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: