Like most, I like to keep my web applications updated with the latest security upgrades. However, I find myself in a small conundrum and am wondering about proper security etiquette. Here's the scenario: A website that I have worked on has a PHP application installed that apparently has a severe unpatched security vulnerability. Problem is, not only has the software vendor not acknowledged this supposed issue, but apparently they also remove posts from their support forum that relate to the problem, leaving customers completely in the dark. They also won't reply to emails about the issue. I've heard that some web hosts have gotten savvy to the problem and are disallowing the installation of this app on their servers. I am not aware of the exact nature of the vulnerability. Without doing my own top-to-bottom code audit, how else would I arrive at getting this resolved? If the company won't reply to communications about this, who to turn to? I can't report anything specific to a site like securitytracker.com–I don't even know for certain if this severe vulnerability exists. Are there security hackers out there who take requests for apps to probe? What would be the right course of action to get this security hole patched for all customers of this company?