
Ask HN: How do I tell an Indie Dev about vulnerabilities that I exploited? - throwA2457
An Indie Developer sells his source code and a license to use it. His site is built on top of his product.<p>I watched a guide he created for getting started with his software. As he was demonstrating something I noticed a potential vulnerability. Out of curiosity I decided to try it out and see if it worked. And it did (I didn&#x27;t expect it to). It allowed me to download the source that he was selling without having to pay.<p>Now it&#x27;s probably at this point that I should have emailed him to tell him about the issue. Instead, I looked through the source and found a second vulnerability. This time, I didn&#x27;t attempt to try it out on his site. But assuming that he uses the same code on his site, it means that anyone can purchase a license to use his source for any price they choose. Granted, if someone did this, he would probably notice that they didn&#x27;t pay full price.<p>In short, I found two vulnerabilities on an Indie Dev&#x27;s site that allows anyone to download his product, and pay any amount for a license.<p>How do I tell this Indie Dev about the vulnerabilities? I&#x27;m concerned that telling him I exploited a vulnerability (out of curiosity, not malice), and then found another makes me look like a black-hat.
======
austincheney
Just inform the developer outright. No need for secrecy. You are doing them a
considerable favor. Tell the developer you will publish these vulnerabilities
to the public in 3 months.

[https://en.m.wikipedia.org/wiki/Responsible_disclosure](https://en.m.wikipedia.org/wiki/Responsible_disclosure)

So long as you are not asking for any kind of compensation you are in the
right. The moment there is a question of compensation the subject changes from
responsible disclosure to extortion.

------
bruce511
I'll answer from the other side of the fence. I'm a semi-indi-developer. I
mostly make software tools, almost all of which is distributed as source code.
(it's not open source, but licensees get it as source code)

I get bug reports all the time. Some come with suggested fixes. Some discuss
vulnerabilities. All are accepted with appreciation. All people I correspond
with use their real names.

I don't have a bug bounty program, but folk who are helpful get discounts, and
in some cases free licenses to other bits.

Of course YMMV. But if it was me I'd just email them the info.

------
Foober223
There's a saying:

No good deed goes unpunished.

What's right for your personal morals may conflict with the law. I'm sure most
developers would appreciate the report. But some people misunderstand things.
Are unreasonable. Or psychopaths.

If you want to send a report there is absolutely a need for secrecy. It may
already be too late for perfect secrecy as all your actions on the internet
are logged, so it's possible for the US government to determine that you were
the one who downloaded source code. Unless you always use things like
encryption and tor.

------
seanwilson
> In short, I found two vulnerabilities on an Indie Dev's site that allows
> anyone to download his product, and pay any amount for a license.

Would anyone really be brazen enough to obtain a license this way and expect
legal protection?

------
mettamage
I'll go for some low hanging fruit here.

Anonymous email, VPN and tell him. Demonstrate it, explain it and don't claim
the glory.

Disclaimer: I'm not a security expert so I've never done responsible
disclosure.

------
codegeek
I would just email in good faith but dont ask for any compensation unless they
have a bug bounty program which is unlikely for indie dev. I m sure they would
appreciate it.

