
Ask HN: How do I respond to someone claiming he has an exploit on my site? - throwway86753O9
He&#x27;s gone straight to asking if we&#x27;ll pay for an exploit. I&#x27;m pretty sure it&#x27;s a scam but obviously don&#x27;t want to get in a situation where we&#x27;ve ignored a real issue. We don&#x27;t have an official bug bounty program, but we&#x27;d be happy to pay out if it turns out to be a real exploit. What&#x27;s the right course of action here?
======
LinuxBender
In my opinion and experience, if you decide to communicate with the
individual, ask them to create an account on HackerOne [1]. You should do so
as well. Even if the pay-out for your bugs was really small, at least you have
given the person an opportunity to register a payment method that can
potentially link back to them. You would have also given them and others a
well defined process to report the bug.

[1] - [https://www.hackerone.com/](https://www.hackerone.com/)

On a side note, look through all of your access logs leading up to the
communication. That can give you an idea of what bots and security tools were
enumerating. Then dig deeper into each script they hit with your security
team, or hire someone to analyze your code. Also, try to export dumps of your
databases and look for things that should not be there. i.e. entries by
unauthenticated services or users.

~~~
jamieweb
Is it possible to give a bounty to a user on HackerOne even if you don't run a
bounty program? I thought that the only way to pay them was if they submit a
report to your own program. Obviously this is a problem is you don't have a
program.

~~~
LinuxBender
You would create your bounty program through them. The hackers would register
with HackerOne and follow their process. In my opinion, that is much safer
than creating your own program if you don't already have a modest sized legal,
compliance and security teams.

~~~
jamieweb
Right yeah that's what I was thinking.

The problem is that the process of creating a HackerOne bounty program can
take a short while to get to the stage where you can invite hackers - if you
have an active hacker on the line like OP does, that could be too long of a
wait.

~~~
LinuxBender
Advise them you are looking into creating your bug bounty program and kindly
ask them to wait while you get things set up.

------
rayvy
1) Identify the _absolute worst thing_ that can happen if this individual does
truly have a significant exploit on your site. What is the _absolute_ worst
thing?

2) Accept that #1 might happen. As in _truly_ accept this as a possibility

3) Work in ways to mitigate #1. What active steps can you start taking right
this very minute to mitigate any potential damage done from the worst case
scenario in #1?

------
crudd
I would start by trying to scan the site using something like nmap or
Metasploit ([https://www.metasploit.com/](https://www.metasploit.com/)) to see
if they find anything.

------
jamieweb
In my experience, most of these are just low-level extortion attempts where
they run a point-and-click vulnerability scan and ask for money to see the
results.

Before I had a bounty program I'd politely reply asking for information on the
vulnerability, but now I do have a bounty program so I just point them there.

If the issue turns out to be real and you want to reward them, be very careful
paying them directly, as often they seem to want Google-level bounty values
even though you might only be a small business.

------
onemoresoop
I would not open any dialogue with the attackers. Here's the advice from the
FBI for ransom-ware:

[https://www.fbi.gov/investigate/cyber](https://www.fbi.gov/investigate/cyber)

[https://www.fbi.gov/file-repository/ransomware-prevention-
an...](https://www.fbi.gov/file-repository/ransomware-prevention-and-response-
for-cisos.pdf/view)

------
Michielvv
It depends a bit on the phrasing, but in all cases where someone asked if we
would pay for vulnerability reports and we replied we would not pay, only
offer acknowledgement on our security page, they would still share the report.

If you are going to pay, make sure you clearly state scope and the type of
exploits you pay for. Otherwise there is a high probability of it being
something in the realm of being able to iframe your site.

------
Rjevski
Look through your access logs and see if you can figure out what they found.

If you can’t, talk to them about what kind of exploit it is (so you can agree
on a reasonable payout) and then pay on the condition they do a non-
destructive demo of the exploit.

------
anoncoward111
Tell him that extortion isn't the best way to build a friendship and that if
he wants to do something illegal then you'll happily forward him the contact
info of some criminal attorneys

~~~
LinuxBender
While this is true, the personality type of the white/grey/blackhat may take
that as provocative and a challenge. In my opinion, this is a risky approach.
If their intent is malicious, they will not be turned away by threats.

