hi:
I managed to find some security problems with elten link website.
I was hoping to somehow get in contact with pjper on this as I want to responsiplaly disclose it to him.
does he have any contact optison, preferribly secure contact information which I can contact him?

I don't know, I assume the only way is Elten messages, so I think you're out of luck when it comes to like, quote unquote, more secure, options, you'll probably just have to send it to him via a PM on here.

not like I can. the web version does not have that option

You can see the developers email on the visiting card.

is it Dawidpieper@o2.pl? that he only email I can think of

yes.

alright. I will email him. he will have a week to respond to me. if not, I will publicly disclose the vulnerabilities. that also falls under weather he fixes them or not. if not, then I will disclose them, as some of them are severely high. this isn't an attack on pajper, but I think he needs to learn security.

sent.
I packaged it within an encrypted nordlocker folder for security reasons, so it requires a code to download the folder

Hello,
I really appreciate your willingness to help. However, I'd like to share some advice based on my experience and similar situations I've encountered in the past.

Before reporting a security flaw, take a moment to consider what you know about the person you're addressing. In this case, you're writing to someone who works professionally as a programmer, not just as a hobby. I have conducted security analyses and reported flaws in various applications as a part of my professional experience.

I'm not saying this to suggest that I couldn't have made a rookie mistake in Elten code. Quite the opposite - there's no such thing as a mistake that can't happen. My point is about probability.

If the probability of such an obvious error is low, and it is flagged by even free tools, then before reporting it, make sure it genuinely exists. Otherwise, your reports may lose credibility, and someday you might discover a genuine vulnerability just to be underestimated.

I have been sent two files. The first is an API analysis. There’s only one problem: this is not Elten API, but rather an example, as is clear from the URLs. The cited SQL Injection is just an example; such URLs and functions do not appear in Elten API at all.

The second report is an analysis of the website, and here indeed two medium-level warnings were detected. However, this is a case of overinterpretation by the analyser, which assumed that the client_id cookie pertains to a session. In reality, the client_id merely identifies some data associated with the computer, such as language preferences, etc. The session is stored in Rack Pool completely independently.

I'd like to emphasise one thing here. Elten code has been developed since I was in middle school, and it is entirely possible that there are still undetected vulnerabilities. Looking back on it now, I feel like going back in time and giving my younger self a lecture.

Simply put, before reporting something, ensure that your report is accurate and not misleading.

I see.
thanks for addressing..
btw, do you plan to fix the https problem that some people loike me have been having? the problem is that basically before going through https, sometimes things will router through https.