I found a small vulnerability in American Express today. Nothing major, but something they’ll definitely want to fix.
I searched and found that they have a special dedicated vulnerability reporting email address. Cool.
I wrote them an email outlining the issue, and mentioning that I intend to publish the finding in 30 days.
They sent me back an autoresponse, saying that to “complete the submission of this report” I have to follow a link. That’s no issue, however, they also (inaccurately) claimed:
First off, fuck you. You don’t get to assert that I agreed to some legal contract (with a third party, no less!) because I clicked a link you sent me. That’s not how any of this works.
Second, why would you make the free donation of important business security information by a complete volunteer to a financial institution used by millions contingent upon agreeing to some random third party service’s legal contract? Are you fucking stupid? You want zero friction in this, even if you have to hire three shifts of inbound security disclosure email ticket triage staff. It’s not like this is Joe Appalachia’s Bumblefuck Credit Union: you’re in the top 10 of the Fortune 50 and have like a billion customers, and the economy of scale here is very nearly visible from the Kuiper belt.
Check back here on 24th May (my 30 day embargo period was specified in the email they seem to now have ignored) to read about AmEx doing some super duper bush-league amateur hour security mistake, which I’ll give you dollars to donuts is still happening on that date. Cheers!
Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.