Not really a tech person, so apologies if this is the wrong place to post this. Also going to be a bit vague with details for obvious reasons.
Awhile ago I got a home automation type thing that monitors energy use. The first thing I did was poke it a bit to see how it worked and I was able to get a shell with root privileges. At first I figured it was intentionally left open (it is my device and all), but it quickly become obvious that it wasn’t intentional. I found login/passwords, encryption keys and such. This let me login to the developers’ git repo, cloud services and pretty much everything.
With all of this I am able to access every installed device which is not a good thing. These devices are connected to domestic solar installations and have full access to the inverter over modbus, essentially giving me control of a small power plant worth of electricity.
I informed the company and they were very thankful, they paid me some money and said they’d be in contact once they’d fixed everything. It’s been awhile since then, so I checked back a week or so ago and the issues are still there.
Where do I go from here? I can badger them again, but I’d be worried they’d paper over the holes and not really fix anything. I can disclose everything publicly, but they know who I am so I might get in trouble. I can also ignore it, but it’s a pretty nasty security flaw in what amounts to critical infrastructure.