Full disclosure works
Timeline (I think this is everything important):
| 13 Apr 01:28:45 -0400 | Phishing email exploiting unchecked redirect arrives |
| 13 Apr 01:54:51 -0400 | Emailed webinfo@capitalone.com to report it |
| 13 Apr 01:53:00 -0400 | Blog post posted |
| 13 Apr 16:29:45 -0400 | Inform Capital One of my intention to post to bugtraq in 24 hours |
| 13 Apr 16:31:11 -0400 | Capital One form letter arrives: “this [phishing] email has not compromised Capital One’s systems in any way,” |
| 13 Apr 16:44:42 -0400 | Reply to Capital One form letter: “this email has taken advantage of a compromised Capital One system: Capital One’s website redirects URLs without checking them….please see the note about bugtraq below” |
| 13 Apr 16:47:15 -0400 | Another form letter: “A Capital One representative will respond to your e-mail inquiry, usually within 24 - 48 hours. Please note, due to high email volumes, this timeframe may be extended to up to 72 hours”. I wonder if saying “bugtraq” provokes this response. |
| 19 Apr 16:32:15 -0400 | Four business days later (well beyond 72h), redirect is still unchecked. Post bug to bugtraq and cc Capital One |
| 19 Apr 16:53:46 -0400 | Reply to Capital One (signed by a human?) form letter: “the point is that the phishing email has exploited a flaw in Capital One’s systems. Your website permits unchecked redirects. This makes a phisher’s job much, much easier. |
| 19 Apr 18:01:00 -0400 | A bugtraq subscriber tells me that he’s emailed abuse@capitalone.com (I should have thought of that) |
| 19 Apr 14:27:05 -0800 | Another bugtraq subscriber tells me that it’s fixed. Checked myself — apparently, it is. |
| 19 Apr 18:55:38 -0400 | Send email to webinfo@, thanking them for fixing the unchecked redirect. |