How much does it cost to wait for a response when reporting a vulnerability on a website?

Genome_X2012-02-11 16:25:56

XSS

Genome_X, 2012-02-11 16:25:56

In general, I found a question on the site of one of the largest XSS stores (but it seems to me that there is not only it), and there is no filtering at all anywhere, in any of the fields. hypothetically, you can make an active XSS out of it, I didn’t dig too deep. I did not find the address of those support or the webmaster in the contacts, I sent a request where to go with the found vulnerability, first to one email where it was recommended to send any requests, then through the feedback web form. So far, no response or hello. The question is how long does it take to get an answer. I intended to write a small article about this vulnerability with pictures or videos, but I do not want to do this before they fix it.

Answer the question

In order to leave comments, you need to log in

7 answer(s)

Nicholas, 2012-02-11
@pnick

Wait a week. If they don’t answer, write an introduction to the article, like “Wrote, warned, they scored.”

ComodoHacker, 2012-02-12
@ComodoHacker

If the company is not an IT profile, this will not be an easy quest.
To begin with, your description of the vulnerability must reach a person who is able to understand it (and can react). That is, you need to break through the first line of support, the second line, their bosses, and god knows who else, up to the sales director :) (an extreme case, if everything is bad with IT processes there). So first you have to write in a language that these people can understand. And describe not the vulnerability, but its possible consequences for the business. Moreover, these should be very concrete things, not abstract concepts. Like “it will be possible to download the entire catalog with prices”, “get all the emails of employees”, “hang porn banners”, etc. The result of the first level is the contacts of the admin or developer and, of course, the management.
Then write to the administrator about the vulnerability, and to the management about the situation as a whole, “such and such employees have been notified, so many days before publication, check.”
Yes, being ethical is not easy.

lorien, 2012-02-11
@lorien

How indecisive you are.

Sergey, 2012-02-11
@bondbig

If you haven’t answered anything at all in a week, you can publish it. If they answered that they were accepted into work, then you should wait until the vulnerability is closed, or at least a month. My personal IMHO.

AHTOH, 2012-02-12
@AHTHOH

What are you waiting for? If they don’t respond to contact addresses, you can just quietly forget about the vulnerability and continue to live in peace. You will not worry about someone else's site more than the owners of this site themselves?
If you want to cut down money on vulnerabilities, then this is a double-edged sword. If you publish and someone takes advantage of the vulnerability, you will be found and will be responsible, even if you yourself did nothing.

Genome_X, 2012-02-12
@Genome_X

I wrote to the address indicated in the whois of the domain (according to the advice above), I'll wait for the result, maybe it will itch faster there.
PS In general, it's funny how sometimes it's really difficult to do good to people. With such difficulties, sometimes you start to wonder why the hell you need it when it’s much easier to go to the “dark” side (although I’m not going to go)))).

Genome_X, 2012-02-13
@Genome_X

Everything, the answer was given, there is contact. Video recorded, 10 minutes long, showing how to practice with various web forms.