Responsible disclosure shouldn't be this hard

Responsible disclosure is often a thankless job.

When I find open cloud buckets containing 10,000+ PII documents, what is the first step? Try to attribute ownership, so I can disclose responsibly.

My first attribution turned out to be wrong. The company replied that it probably belonged to someone else. Progress, right? I reached out to the other company through LinkedIn DMs and their website: “I have identified a vulnerability and would like to report it so you can fix it as soon as possible.”

No response.

Months later, the same buckets reappeared on my radar through River Security’s continuous data hunts, with new files exposed. Still unpatched. Still public.

So what do you do next? How far do you go to protect the public and the innocent? How many doors do you knock on before someone listens? Who can be responsible?

I reported it to the Norwegian National Security Authority (NSM / NorCERT): “Thank you for your report, we will investigate.” Then silence. Months passed. I escalated to Datatilsynet. Still nothing. The files remained public.

At some point you start asking: does harm actually need to happen before someone reacts? Around the same time I read about 100,000 Italian PII records leaked online, and here I was staring at a “small” 10,000+ dataset just waiting to be taken.

That is when I went to NRK, who published the story. Finally, through journalists, something happened: the buckets were removed and the data secured. You can read it (in Norwegian) here: Fant personopplysninger fra bilklage-selskap åpent på nett.

It should not have to be this hard. Thanks to Julie Helene Günther at NRK for getting it done.