On May 2, 2016, I reported, via an email to their support staff, a vulnerability contained within the Nerium International Account Center website. They did not respond to that email.
- On May 30, 2016, I sent a follow up email to their support staff inquiring if my previous email had been received and if they had an update on it, since I noticed the vulnerability was still present in their website. They did not respond to this email either.
- On June 3, 2016, because Nerium had not responded to either of my emails to their support staff, I sent a DM (Direct Message) to the Nerium Support twitter account inquiring about the status of the vulnerability I had reported. They did respond to my inquiry via twitter and after a few steps of requiring me to verify I was a Nerium customer, they stated, "Thank you. We appreciate you taking the time to share this information. We are evaluating the findings with our site architecture team." At that time, I also advised them that if this issue was not fixed in a timely manner, it had already been 32 days since my initial email, that I would publicly disclose the vulnerability.
- On June 17, 2016, I posted a public disclosure of the vulnerability. As a Nerium customer, I intentionally withheld many of the technical details of the vulnerability.
- On June 17, 2016, I received a cease and desist letter from Nerium's legal counsel requesting I take the public disclosure post down. Their cease and desist letter stated, "This statement is false, damaging, and disruptive to Nerium International’s business. A Nerium International customer cannot obtain the financial information of other customers."
- On June 18, 2016, not seeking to get involved in legalities, I have decided to comply with their request to remove the post. I do so in good faith that Nerium will fix the issue in a timely manner.