Hydrogen Aerospace is a startup France-based aerospace company. We truly like their vision, but when it comes to cybersecurity, they quite literally aren't the one. We contacted Hydrogen on October 24th, 2021, regarding critical security issues on their website. It has taken them over 24 hours to fix one of many security issues, and we have yet to receive any formal response via email. The one simple issue they have fixed involved simply modifying a file on their server that hosts their website, which, as mentioned, took them over a ridiculous 24 hours. After we sent Hydrogen an encrypted email (with the list of security issues), we heard from them on Twitter, saying "They saw your email and will take corrective actions even if a lot of what you mentioned is already done". That last part is stupidly incorrect, as we proved that the security issues were still present. They then replied to our reply on Twitter (where we asked if we can expect a response), and the reply said "The team saw your email, but will not give you update about it for security reason". This is obvious straight bullsh*t. There should be no reason as to why we cannot receive a formal response from the company stating that they received my email, they understand the severity of these security issues, they are working on fixing them, and they appreciate our report & good intentions. Essentially ignoring our email (we are to assume it has been ignored or is not taken seriously seeing that we have not received a response) with a list of critical security issues that need to be solved is extremely rude and unprofessional. If they really can't give us an update via email due to "security issue", then this indicates they have another security issue affecting their email system. Hydrogen Aerospace needs to do better, act more professional, and learn to communicate properly when it comes to critical security issues that need to be solved; because so far we have only heard back from them via an unsecure privacy-violating social media platform (Twitter) where we were provided with a vague and irrational response.
October 29th, 2021 Update: It's been over 6 days now and a security flaw that we reported has still yet to be fixed, and can be fixed in literally less than 5 minutes. We had to respond to the Owner (of hydrogen-aero.com) on Twitter over 5 times aggressively asking for a simple formal response (to our email) stating that they received it and that they are working on fixing the issues. All we got is a pointless delayed response saying "Thank you". Please, for your own online safety, stay away from this website with poor security.
October 31st, 2021 Update: It's stupidly ridiculous how this company can't fix a very simple yet dangerous security issue. We don't promote hacking, but go ahead and exploit this issue that they refuse to fix. They are missing a DMARC record on their domain hydrogen-aero.com, so go ahead and send a forged email to whoever you want originating from email@example.com containing a (fake) virus link. Their website is also extremely vulnerable to the most simple DDoS attacks (HTTP Flood Attacks). OVH provides transport-level DDoS Protection, but not application-level, we're not sure if they know this or not because their website has no web application firewall (we were able to access the website via various types of bots including fake search engine bots). Hopefully this will force them to fix this issue.