Quote from: BruceCampbell on July 19, 2013, 02:37 amCome at me bro. Dude if you find any significant shit then give us hell about it. There's no pride in my opinion when it comes to security, so if you look at my shit and see something I fucked up I sure as hell want to know about it. Maybe give vendors like 36 hours to reply to fix it before you shame them though? because if you don't then depending on what you find and release you might be handing info over to the enemy neatly bundled for analysis. Vendors get 6 hours and that's it - no more no less if it's identifiable. If it's non-identifiable and just plain bad practice (ie, a weak key which LE probably can find with their own crawlers) then you're thrown up automatically til it's fixed. If I'm too hanky-panky about it all, I think some may not take this seriously. Heck, might even start a "Secure Vendor" list for those who have every aspect covered flawlessly.For identifiable information, obviously SR staff will be contacted and then once they've removed it, then I will list it (I won't mention what it was only it was serious). The reason being because if LE find it, which they probably have, then they'll be watching you already and you're then a risk regardless if you change it and it's a known fact which I can verify myself for SR staff privately that LE crawl the marketplace with some pretty advanced bots.