

Ask HN: Should I report a security vulnerability? - devonbarrett

Will browsing through my attendance on my schools registration system, I started playing with the URL so I could see the data I wanted, through doing this I noticed so major SQL injection vulnerabilities that gave me the ability to alter the data and view other students.<p>Given the cases of this backfiring on the person who reports it; what should I do?
======
tptacek
What you did was unlawful. Had you downloaded the software they were using and
tested it yourself, you'd have been fine. But testing live web applications
that other people operate is dangerous.

Speaking from the vantage point of someone who tests applications for a living
and helps manage many tens of concurrent projects: it is surprisingly easy to
crash a site by dicking around with URLs trying to find SQL injections (here's
a classic example: some other part of the system you weren't aware of caches
every hit to the URL you're testing and displays a result based on it to users
elsewhere; your query generates an exception, bang, feature dead).

If you noodle around with someone's application just to see how riddled with
SQL injections it is, and you blow up their app, there's a decent change your
actions were tortious. You can get sued. Nobody will care about your
intentions; everyone (at least, everyone who matters) will tell you you
shouldn't have been testing to begin with.

I think you're in a bit of a pickle, because I think it's also unethical to
sit on your hands if you know a firm is putting its users at risk by fielding
a comically insecure application. I'm on the side of "report anonymously".
It's obviously possible to do this safely if you try hard enough, but I don't
even think you need to try that hard.

A growing number of US companies, most notably Google and Facebook, now reward
people who find vulnerabilities on their sites. They've deliberately made it
much harder to grief people who test them for vulnerabilities. This is a trend
you could reward by giving them more of your business.

------
czbond
Do not report it at all - even anonymously! My friends wife works for one of
the top digital forensics firms in the US (they're who lawyers use to
understand what happened and when). He's told me too many unfortunate cases
where people reported items likes this to Fortune 500 companies, that were
then prosecuted harshly. I have issues with it - but it's how the world works.
I would stay away from it.

------
dokem
I wouldn't even attempt to report it anonymously.

I found something similar on one of my schools internal sites, there was even
a disclaimer that said something along the lines of 'Please don't enter any
semicolons or quotation marks...'. I just walked away from it. It's not worth
getting in trouble because, for some reason, schools hire incredibly shitty
web developers.

------
projuce
You should check if the software is listed on the bugcrowd bug bounty list.
Its a list of websites and software which accept responsible disclosure of
security issues.

[http://bugcrowd.com/list-of-bug-bounty-programs/](http://bugcrowd.com/list-
of-bug-bounty-programs/)

If you can't find it there you should send them an email and suggest they add
it.

------
t0
Report it anonymously.

