webdev companies don't care!

[l0ngb1t]

So i was playing around last night and i came across a website which sql injectable... it had minor protection which can be easily bypassed... so i went to the website of that company that created this website and checked there portfolio, i tested some of there clients websites (this company has branches in canada and Emirate... they also provide anti-hacking systems!!!) some of their clients are also vulnerable! after several jack Daniels glasses.... the gentelman in me decided to do some good, so i e-mailed the chief developer telling him about the issue, and today, while trying to recover from the hangover i checked my e-mail (a fake one ofcourse) and i got this reply from the dude (copy past as is)

I did not understand what you mean
And what is the relation between my emails and my clients accounts ?

is he for real
ain't gonna contact them... let them drawn in their own shit... i didn't ask him for anything i just told him some of your clients have security issues bla bla bla...

[reparto]

I've seen this as well, people complain about hackers and stuff but they don't realise that the companies who are attacked probably knew about the vulnerability but chose not to act on it.

[bad_brain]

I don't bother with informing companies about flaws anymore (well, not that I ever really did )...the only exceptions I would make are in context with FOSS, and there developers ask for that anyway because it's a main part of the whole idea.

and hey, what sense does it make? in the best case you will get a "thanks."...but often they either don't care at all and ignore you or even act like you are the one to blame for their sloppy security....so yes, better cut down the Jack Daniels, it obviously makes you too kind.

P.S. here's a nice one I discovered recently when trying to set up a customer site I created on their lunarpages.com "web hosting" package: they still use PHP 4.4.9, release date Aug 2008.