Why don't Software Vendors care about security?

If those certificates aren't expired, you need to raise a security incident with that company, so they can revoke and re-issue the certs.

If you only raise it with the vendor, they likely won't do anything.

Do this in writing, do it unambiguously, and do it so that it's very clear that you're helping them and it won't be interpreted any other way. Occasionally someone misinterprets something and projects some kind of mistaken motive, and it's hard to get back on track after that.

I'd recommend talking to someone who's handled a disclosure of this sort before. It's pretty standard that if something isn't resolved within X time, the information is disclosed publicly.

/r/sysadmin Thread Parent