Although I have been reading things from hostballs for quite a while, this is the first time I post something, and it is security related.
So recently a guy I know asked me to help him move his site from a shared host to another shared host as his current plan was about to expire and he wasn’t 100% satisfied with their services. So after some suggestions we end up moving the site to a company I personally use to host a vps (for around 8 months) and its super stable even when its stressed.
Few weeks go by and I add another addon domain to the same hosting plan (can add up to 5) and run some scripts to check the server security.
To my surprise what I discovered other than the fact that I could run python scripts on the server’s side and pretty much burn 90% of the servers bandwidth, I can explore everyone’s paths, plus I have access to most of the other client’s databases (and can add / remove / modify pretty much anything in these databases).
I have asked the company if they happen to have a bug bounty program and sadly they dont …
How should i proceed? Has anything similar happened to you? Im obviously not going to use this info to harm others, Im just trying not to create a legal shitstorm out of nowhere.
Please give advice which I will greatly appreciate!