Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How do I respond to someone claiming he has an exploit on my site?
13 points by throwway86753O9 42 days ago | hide | past | web | favorite | 14 comments
He's gone straight to asking if we'll pay for an exploit. I'm pretty sure it's a scam but obviously don't want to get in a situation where we've ignored a real issue. We don't have an official bug bounty program, but we'd be happy to pay out if it turns out to be a real exploit. What's the right course of action here?

In my opinion and experience, if you decide to communicate with the individual, ask them to create an account on HackerOne [1]. You should do so as well. Even if the pay-out for your bugs was really small, at least you have given the person an opportunity to register a payment method that can potentially link back to them. You would have also given them and others a well defined process to report the bug.

[1] - https://www.hackerone.com/

On a side note, look through all of your access logs leading up to the communication. That can give you an idea of what bots and security tools were enumerating. Then dig deeper into each script they hit with your security team, or hire someone to analyze your code. Also, try to export dumps of your databases and look for things that should not be there. i.e. entries by unauthenticated services or users.

Is it possible to give a bounty to a user on HackerOne even if you don't run a bounty program? I thought that the only way to pay them was if they submit a report to your own program. Obviously this is a problem is you don't have a program.

You would create your bounty program through them. The hackers would register with HackerOne and follow their process. In my opinion, that is much safer than creating your own program if you don't already have a modest sized legal, compliance and security teams.

Right yeah that's what I was thinking.

The problem is that the process of creating a HackerOne bounty program can take a short while to get to the stage where you can invite hackers - if you have an active hacker on the line like OP does, that could be too long of a wait.

Advise them you are looking into creating your bug bounty program and kindly ask them to wait while you get things set up.

1) Identify the absolute worst thing that can happen if this individual does truly have a significant exploit on your site. What is the absolute worst thing?

2) Accept that #1 might happen. As in truly accept this as a possibility

3) Work in ways to mitigate #1. What active steps can you start taking right this very minute to mitigate any potential damage done from the worst case scenario in #1?

I would start by trying to scan the site using something like nmap or Metasploit (https://www.metasploit.com/) to see if they find anything.

In my experience, most of these are just low-level extortion attempts where they run a point-and-click vulnerability scan and ask for money to see the results.

Before I had a bounty program I'd politely reply asking for information on the vulnerability, but now I do have a bounty program so I just point them there.

If the issue turns out to be real and you want to reward them, be very careful paying them directly, as often they seem to want Google-level bounty values even though you might only be a small business.

I would not open any dialogue with the attackers. Here's the advice from the FBI for ransom-ware:



It depends a bit on the phrasing, but in all cases where someone asked if we would pay for vulnerability reports and we replied we would not pay, only offer acknowledgement on our security page, they would still share the report.

If you are going to pay, make sure you clearly state scope and the type of exploits you pay for. Otherwise there is a high probability of it being something in the realm of being able to iframe your site.

Look through your access logs and see if you can figure out what they found.

If you can’t, talk to them about what kind of exploit it is (so you can agree on a reasonable payout) and then pay on the condition they do a non-destructive demo of the exploit.

Tell him that extortion isn't the best way to build a friendship and that if he wants to do something illegal then you'll happily forward him the contact info of some criminal attorneys

While this is true, the personality type of the white/grey/blackhat may take that as provocative and a challenge. In my opinion, this is a risky approach. If their intent is malicious, they will not be turned away by threats.

great way to get a zero day dropped on your business in a tweet

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact