"I’m not a lawyer, but Full Disclosure should be your absolute last resort — even though you have to weigh the users privacy and data."
I am absolutely agree with you. In my case i found leak of 13000 personal email addresses with a bit personal things like weight, name etc…. And the case is that I can't share it to…
"It is incredibly hard to responsibly tell people about a vulnerability and make them fix it or let them help you fix it for free"
The same for me. But do you know what to do if company is not interested in fixing critical things. Like private data of all users which leaked because of some reasons. If they just ignore — is it legal to make full disclosure?
Thanks man! Actually it doesn't matter what you are planning to check. Article is about "how to configure" you payload. And then you can make what ever you want. Any type of requests. Any type of users action ( voting, registration )….