Responsible reporting of unencrypted login pages

I recently visited a very popular forum that requested a login/password information through an unencrypted page. While I'm very grateful your software notified me of this risk, I'm now concerned for everyone's personal information on the website. I immediately posted a warning on the forum about my experience, and sent a message to the website staff about the likely security flaw, but am not sure about best practices in vulnerability reporting and would like your advice, recommended reading suggestions, or links.

I read the Electronic Frontiers Foundation's page on vulnerability reporting and while I know some rudimentary programming, have some professional experience in the computer industry, I'm by no means a security researcher. I do trust your software and the warning I received, so I feel the only decent thing to do is to immediately warn the affected community and website administrators, which as I said, I already did. Is there a reasonable time frame that I should expect the website admins to rectify the issue before I notify tech reporters? Or should I contact tech reporters straight away and let them make that call?


  • In my completely non-expert opinion, there's no risk there. The lack of SSL is perfectly obvious to anyone using the page so you could never be accused of aiding hackers or criminals.

    Report it to the site admins, give them a week to respond and then report them if you don't get a satisfactory answer.

This discussion has been closed.