F
F
fatalick2017-07-14 11:44:29
Information Security
fatalick, 2017-07-14 11:44:29

How to correctly notify the site owner about the presence of a vulnerability?

Good afternoon! I am engaged in pentesting, periodically testing random sites and finding vulnerabilities there. The result is different: it happens that it is possible to merge the database with personal data. In fact, unauthorized access to confidential information is obtained (although without disclosure or further use for personal gain). In accordance with the legislation of the Russian Federation, the very fact of illegal access to CI using non-standard AIS tools is a violation. Hence the question: how competently, from a legal point of view, to report a hole to the owner of the site, so that they would not later be exposed as a villain? So far, the idea is this: just report the presence of a vulnerability and the POTENTIAL possibility of its exploitation, as a result of which UA to CI is POSSIBLE.
UPD The task is to make it as open as possible, officially.
UPD2The site is quite large, it implements large-scale projects, and therefore there was an interest in cooperation with them. Wrote them an email. So far there is no answer. If there is something interesting, I will write here.

Answer the question

In order to leave comments, you need to log in

6 answer(s)
L
laxikodeje, 2017-07-15
@fatalick

Important:
1. Do not pass for a spammer. The appeal must be very personal.
2. Don't pass for a blackmailer.
I would describe in detail on what occasion you write.
Because otherwise:
Just yesterday, I was shown a letter from such a "notifier of vulnerabilities." It strongly looked like science fiction (ordinary people do not understand that their site can be taken under someone else's control, they only read about it in the news) and blackmail (it sounded like this: well, what are we going to do with this).
The manager, having received the letter, answered simply - "not interested." I did not bring it to the management or to the admin.
In general, this is a big problem.
PERSONALLY familiar with the owners of the site. HALF A YEAR I hammer them about vulnerability. There and spammers have already settled on their site. And they at least henna - but no: they asked how much it costs to repair. The cost of the answer apparently did not suit, they decided that I stupidly want money. I think until someone defaces them, they won't catch on.

C
CityCat4, 2017-07-14
@CityCat4

If the office has an official (s) address (s) - send notifications to all that blah blah blah. But the reaction will be different :) depending on what kind of office and on its thickness.

E
Egor Kazantsev, 2017-07-15
@saintbyte

I don’t know how it is now, but 15 years ago, even now, large offices suffered from bugs, it was necessary to make a very vile deface so that they started to catch it straight. I tried to get it working =)

S
Sergey, 2017-07-15
@gangstarcj

Write to the site owner something like

Hello, are you interested in checking yours for vulnerabilities? Finding bugs will be free, if I find them, I will help fix them for a fee

D
Dmitry, 2017-07-18
@Dit81

Similarly, I was looking for an answer to a similar question of my own ... I sent it from "my" dark e-mail. But even "Thank you" many do not write back ... And of course, many do not even correct bugs! )) What are foreigners, what are our own ...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question