While around 98% of my email communications with website or system owners are very friendly, appreciated and sometimes also rewarding, there are 1% out of the 2% not like the above which are offense and just pissing me off.
Here, I’d like to show you an example for How not to communicate with a security researcher
This conversation was received by a publisher of technology information and learning company. Makes it even more weird…
Starting on twitter:
Me: hey XXXXXXX, i discovered a vulnerability on your website. how can i contact the admin/webmaster?
Them: Hi, send me all your contact info: jon@xxxxxxxx.com (Name, email, etc)
Seems like a good start to make them aware of what’s going on. So I’ve sent the email:
Me: Hi Jon, here we go :) Should I just send all details bulk or do you want me to send in a speacial way? PGP, ...
Now it’s going to be pretty… sorry there is no word for it. Just read yourself:
Them: Hi SECUNINJA Bulk is fine, but really, all I want is a name. It is difficult to converse with an anonymous handle.
Well why it should be difficult? I can say my name is Billy or Amanda or Jesus… Does that make a difference?
If you are fishing for a reward, I will let you know that we do not offer any bug bounties.
Oh that is a clear statement… But I’m fine with.
If you are loking to contact anyone on our dev or security team, we do not do that either.
So if they want the social media manager to handle vulnerability details… not my problem. But their problem is how the social media manager is handling it.
Basically, I am a Social Media Manager, and I am the go between. If you have a bug you want us to know about, you tell me everything, and I pass it along to the dev team, and that is it. You never hear from us again, except for me to say thanks.
They really should think about replacing him. This is awful communications, bad PR and just like pissing me off. This is not the way you should talk to a researcher. Will make him never report a vulnerability again. If it’s a bounty hunter not minding selling vulnerabilities even worse.
Further how should I close the report when I never hear back?
If that is amiable, we are happy to accept your bug report, if not, thanks anyway, until we have a full fledged bug bounty program up an running, there is little I can do for you.
Sound like this will never happen.
Most of our customers who find bugs, they just email us and let us know. Most of the security folks that are fishing for bounty, contact us via twitter, use anonymous handles, and try to get around me by threats, or bully tactics.
If one of their customers finds a bug it’s a little bit different situation… I’m not a customer. And if they have so many researchers contacting them they really should think about the reasons. I told him that I will send the details anyway… no matter how rude he’s talking to me.
That explains a bit of my attitude, since we get maybe 20 a week via twitter, folks with anonymous handles telling me they've found a security issue with our site, and want to talk to the security team.
Probably at least some with a good reason.
At our xxxxxx Security Conference last year, I asked about 200 attendees who would actually speak with an anonymous 'ninja' who reached out via Twitter, and they all said no.
So they might be all on the wrong way.
So, we based our policy upon me being the front man, and trying to triage the fishers from the friends.
And he will IMO never get most of the vuln details.
This being said, here is what I’ve replied:
Hi Jon,
all I want is to make the web a safer place. And to be honest, your reply is within a 1% range. The 1% range of people or companies not aware of people like me.
>Bulk is fine, but really, all I want is a name. It is difficult to converse with an anonymous
>handle.
Call me dude, bro, mate… you name it…
>If you are fishing for a reward, I will let you know that we do not offer any bug bounties.
That’s fine for me even though I think that’s not the right approach to start the discussion
>Basically, I am a Social Media Manager, and I am the go between. If you have a bug you
>want us to know about, you tell me everything, and I pass it along to the dev team, and
>that is it. You never hear from us again, except for me to say thanks.
When you are a Social Media Manager, look at my twitter conversations, the hall-of-fame on my website and my 1.7k patched vulnerabilities. What do you think? Which kind of contacts do I prefer to talk to? Right now I think about using this email as an example for “how to not talk to a security researcher” in a blog post. Anonymous of course.
Further, when I never hear back, how can I close the report?
>If that is amiable, we are happy to accept your bug report, if not, thanks anyway, until we
>have a full fledged bug bounty program up an running, there is little I can do for you.
As I already said I’m good with doing my work for no return. So you’ll get the details you need. But I feel like you’re spending too much time on repelling both, good and bad tipsters.
>Most of our customers who find bugs, they just email us and let us know. Most of the
>security folks that are fishing for bounty, contact us via twitter, use anonymous handles,
>and try to get around me by threats, or bully tactics.
I’m not a customer but one of the “folks” you’re talking about. And sure there is a number of “folks” trying to blackmail or so but that’s not me. You just need to read my profiles. I say “I do not blackmail, I do not damage”. That’s all. I’m Ethical. White-Hat.
If you don’t want to be contacted by twitter have a look at https://securitytxt.org/ to see how you can add a suitable contact for security researchers like me as you seem not to respond to emails. Referring to:
Website Operator Notified:17 July, 2018
By the way, you can even create a free bug bounty / coordinated disclosure program there and still you don’t have to give any rewards to the hacker.
>That explains a bit of my attitude, since we get maybe 20 a week via twitter, folks with
>anonymous handles telling me they’ve found a security issue with our site, and want to
>talk to the security team.
What if there are so many vulnerabilities?
Seeing the kind of vuln I’ve found that might be a correct number. If I were you I would set up a plan/program for such contacts which is more respectful for the work the good guys do. Again, I’m not one of those who trick you for other contacts or so.
>At our <removed> Security Conference last year, I asked about 200 attendees who would
>actually speak with an anonymous ‘ninja’ who reached out via Twitter, and they all said
>no.
If I would have been there I would have raised my hand for yes I would.
Invite someone from the bugbounty community. Maybe from bugcrowd.com or hackerone.com just to name some, for your next conference to also hear the other side. When you folks are scared to talk to an me just because you don’t know my real name, twitter might be not the right place for you. I could say an arbitrary name which you cannot verify anyway.
>So, we based our policy upon me being the front man, and trying to triage the fishers from
>the friends.
I respect that kind of policy nevertheless I’m not okay with the rude “give me the details and then you’ll never hear from us again” approach.
That’s all from my side…
Here are the vulnerability details:
1: XSS, CWE-79 on
<removed>
2: XSS, CWE-79 on
<removed>
If you need assistance or more information just let me know.
Still I’m willing to help.