Krdytkyu

A company I used to work for developed a Point Of Sale system that also has an eCommerce portion. While working there, I discovered massive flaws with their security model.

Simply put, there is 0 server side validation.
Any user, logged in or not, can do things like edit prices, fake transactions, mess with time sheets, etc all from the comfort of their home.

I reported this several times verbally, but it was mostly ignored as not a priority.

They have since expanded their clientele, and now serve quite a few clients.
I have verified that the exploits still work just as they did several years ago.

I have no interest in saving face for this company, they treated me and many others very poorly and abusively, forcing overtime without pay and similar transgressions.

What is the best way to report this security issue? Do I send an email to their clients? Or should I publicly disclose the attack and let the internet handle it?

edit:
I would like to add that the exploits are not complicated or obscure, anyone who opens devtools in their browser would be able to figure out that they can just edit the data on the fly

edit 2:
After reading all of these responses, I will be sending the company an anonymous email with a POC. I will also be giving them a 60 day period to address the issue before I report it to their customers

A quick word of caution

You sound very invested in trying to do something. If I can be frank, it sounds like you are at least partially motivated by your frustrations with the way the company treated you as an employee. This can be understandable, but doesn't necessarily lead to good decisions. In particular one option you mention (contacting customers and informing them of the issues) is the sort of thing that, rightly or not, and regardless of how it might end, can result in lawsuits filed against you by your former employer. So tread lightly. All things considered that is probably a very bad idea.

Understanding the (flawed) business perspective

Unfortunately the situation you describe is not uncommon in the software industry. From the perspective of many companies, bring up security issues is asking them to spend real money (in terms of developer salaries) to fix a problem that they cannot see for a benefit that may not be needed for a long time (it may in fact be a while before someone tries to hack them). It's a hidden benefit with an upfront cost, and that is something that short-sighted thinking can easily ignore for a long time. After all, from their perspective, the things you are making a big deal about have never actually caused problems but will definitely take a lot of time and effort to fix, so why should they fix it? (I'm not saying they are right, I'm just explaining the thought process).

It's important to understand that this is obviously the approach that your ex-employer is taking. You have informed them of the issue and they have decided to ignore it. There is no reason to think that any (legal) action you can take as an outsider is going to change that, especially since you failed to make any changes as an insider. Of course we know that with bad security practices, someone finding and exploiting a weakness is inevitable, especially if they start to see any real kinds of success (i.e. having a large customer base). As long as none of their customers take the time to delve into potential security concerns proactively (and most don't, because they don't know enough to look properly even if they do care), situations like this can go on for a surprisingly long time before it causes real problems. In the worst-case scenario this leads to situations like the equifax security breach. For smaller companies this can result in complete bankruptcy.

Reality

So what do you do about it? If management knows about the problem but refuses to change, there probably isn't anything you can do to force them to change. You can try things you mentioned like reporting this to their customers, but their customers may not take you seriously. For all they know you are simply a disgruntled ex-employee trying to cause trouble for your previous employer. If they didn't know enough to look into these things before starting to use the platform, then there is no reason to think they know enough to take your claims seriously now. More likely than not you'll just end up being ignored or sued.

(per @forest's answer) You certainly should submit a CVE. You could also try submitting bugs through a third-party bug bounty program. There are some that have popped up in recent years and exist to try to act as a neutral arbiter between "independent security researchers" (aka you) and sites that otherwise don't have bug reporting programs (aka your former employer). Of course such programs work only if the company you are reporting bugs to actually listen. You already know that your former employer won't. However, having published and ignored vulnerabilities through standard channels will help their customers in the long run when they do get hacked. This will change the situation from simple incompetence to outright negligence, which comes with much stiffer financial penalties in civil court (FYI: IANAL).

Any further (legal) options will vary depending on your jurisdiction, aka in Europe you may find some venues for legal action through the GDPR. In many places though you probably don't have any options that can immediately bring legal trouble to them. Most likely that won't happen until they get hacked and their customers sue. Having a published CVE will help their customers when that happens. In the meantime, it sounds like you are thinking about posting something publicly "on the internet". What would be your goal there? Realistically, your attempts to do that will probably just be ignored by the internet. It's possible however that they may end up hacked much sooner as a result though. Without going through more standard channels though, you probably dramatically increase your own risk of legal repercussions. Therefore, I would personally keep to official channels.

Again, I may be misreading you, but I think your question is largely coming from the place of someone who is angry at a past-employer and is, to some extent, looking to cause trouble. That's a good way to get yourself in legal trouble or at least give yourself a bad name when trying to find jobs in the future. I think you should try to stop looking at this from the perspective of an ex-employee and focus more on the perspective of a neutral-security-researcher.

Request a CVE!

If you care at all about preventing potentially massive breaches, then you absolutely need to disclose the issue one way or another. If you cannot get this done by contacting the developers of the vulnerable application, you should request a CVE assignment for the issue. MITRE will deal with the rest.

I just realized that you said your "old job". My answer below still stands, but depends on if you still have contacts to responsible parties within the company.

If you reported the issue verbally and it was ignored, try reporting the issue in writing, possibly escalating the issue and copying people higher up the chain. You may have to speak management-speak, providing risks, costs, and benefits to the security fixes. Explain why this should be a priority over other items. Offer to give a demonstration to management to show just how easy the exploits are and point out that as soon as someone finds it, the company's reputation is heavily damaged.

Perhaps you can find a way to sell the idea of your company hiring a security auditor to find vulnerabilities. Where your management might respond to your security concerns as "Oh, Bob is freaking out about nothing again," they may take an auditor more seriously. In some jurisdictions, I'm sure there are legal requirements that a company must meet to handle personal data, you might be able to sell management on the idea if you tell them that you're not sure that you're in compliance and an audit needs to be done before a customer sues. Obligatory "I am not a lawyer".

If that doesn't work, I can't say that I recommend emailing clients or publicly disclosing the vulnerabilities unless you talk to a lawyer first and the lawyer tells you that you're in the clear. A company like you're describing would likely not see the situation as "Oh, now we have to fix this" but rather "A disgruntled employee is trying to destroy our business, we need to fight back."

Things that you can do from outside of the company:

After reading that you no longer work at this company, I had another idea: it may be possible to anonymously pose as an interested buyer of your company's product and ask questions indicating that you are very interested in making sure your data is safe. Ask if they do security audits, if they have any security certifications, what regulations they follow, things like that. Hopefully, someone in marketing won't just make up generic answers and will inquire with a developer or someone who is in charge of something. Maybe "losing a sale" due to their shady security practices will push the priority higher for them.

Since you do not disclose a location, I suggest to contact law enforcement, as the company may be in violation of several laws - especially so since they operate with financial transactions. Usually the law enforcement branch you contacted will then inform you who you actually should contact instead, which may be a different branch of law enforcement, a consumer protection organization, or no one at all.

Disclosing the security issue to the public or their clients, or threatening to do so - with your background that of a disgruntled employee - is another way to involve law enforcement. One you want to avoid.