this post was submitted on 21 Feb 2026
244 points (98.8% liked)

Technology

81710 readers
2901 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
244
I found a Vulnerability. They found a Lawyer. (dixken.de)
submitted 2 days ago* (last edited 2 days ago) by Beep@lemmus.org to c/technology@lemmy.world
14 comments fedilink hide all child comments
 

Lobsters.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stumbled across a vulnerability in the member portal of a major diving insurer - one that I'm personally insured through. What I found was so trivial, so fundamentally broken, that I genuinely couldn't believe it hadn't been exploited already.

I disclosed this vulnerability on April 28, 2025 with a standard 30-day embargo period. That embargo expired on May 28, 2025 - over eight months ago. I waited this long to publish because I wanted to give the organization every reasonable opportunity to fully remediate the issue and notify affected users. The vulnerability has since been addressed, but to my knowledge, I have not received confirmation that affected users were notified. I have reached out to the organization to ask for clarification on this matter.

This is the story of what happened when I tried to do the right thing.

you are viewing a single comment's thread
view the rest of the comments
[–] Deebster@infosec.pub 30 points 2 days ago* (last edited 1 day ago) (1 children)

Disgraceful, old-fashioned actions from the unnamed diving ~~certifiers~~ insurer - and, as the major diving insurance company (based in Malta) is DAN World Insurance Group SP, it's clear that DAN puts their reputation above child safety.

(edited out misdirected finger pointing)

I would add that I'm not sure 30 days is "generous" given that 90 days is somewhat standard, but given that it took only two days for a lawyer's threats to arrive that's not too relevant.

[–] Leeks@lemmy.world 16 points 2 days ago* (last edited 2 days ago) (1 children)

It is a “Diving insurer” not a “diving certifier”. This is likely DAN, since he is a PADI instructor and PADI pushes DAN.

[–] Deebster@infosec.pub 7 points 2 days ago* (last edited 2 days ago)

You're absolutely right, I'll edit my comment. Thanks for the catch.