Jump to content
tulo

How to behave in case of security bug

Recommended Posts

I'd like to hear your opinion about this topic. All the info are suppositions.

Let's suppose that:

  • I find a very severe security bug in a website/system
  • The security bug can compromise the website/system very deeply
  • They don't provide in the ToS or website any info or legal notes about bug report/bug bounty
  • I attack the website/service causing minimal to no damage only to test the vulnerability. I attack using an account which can be lead back to my person
  • I contact them via fake mail and don't receive any legally valid document that protects my data and my person in case of liability for "attacking" their system to test the vulnerability  

What should I do? How much is the risk of being sued in case I report the but technicalities and the account where I performed the attack (as happened for example in this case https://www.engadget.com/2017/11/20/dji-threatens-legal-action-researcher-reports-bug/).

What is the legal protection for researchers that "attack" systems to test vulnerabilities?

Share this post


Link to post
Share on other sites
6 minutes ago, tulo said:

What is the legal protection for researchers that "attack" systems to test vulnerabilities?

Depends a lot on your jurisdiction. In any case: STOP THE ATTACK IMMEDIATELY.

Depending on the impact, I'd either stay silent about the whole thing or contact the CERT of country where this website/system is hosted or operating from, if necessary via anonymous mail.

You'll get better (but also more expensive) advice from a lawyer or interest group (e.g. the CCC).

Share this post


Link to post
Share on other sites
2 minutes ago, Sukrim said:

Depending on the impact, I'd either stay silent about the whole thing or contact the CERT of country where this website/system is hosted or operating from, if necessary via anonymous mail.

You'll get better (but also more expensive) advice from a lawyer or interest group (e.g. the CCC).

But in any case I see a loss of time/money for nothing in return but "fame" :).

Share this post


Link to post
Share on other sites
1 hour ago, Dario_o said:

Yeah, the US government is not first on the list at all of who I'd trust to fix a 0-day...

2 hours ago, tulo said:

But in any case I see a loss of time/money for nothing in return but "fame" :).

You don't earn "fame" or money, but you maybe get to stay out of prison because you likely violated several laws at this point. I'd still expect to get raided, so make sure that you have off-site back-ups of your data in case you are working in IT and need working computers to actually earn your living - because it is not unlikely that you'll no longer be in possession of the ones you currently have.

2 hours ago, tev said:

Stay away from any countries whose intelligence agencies may have created the vulnerability.

It is far more likely to stumble upon a badly written webshop or a forum leaking user data than a state sponsored attack.

Share this post


Link to post
Share on other sites
2 minutes ago, Sukrim said:

You don't earn "fame" or money, but you maybe get to stay out of prison because you likely violated several laws at this point. I'd still expect to get raided, so make sure that you have off-site back-ups of your data in case you are working in IT and need working computers to actually earn your living - because it is not unlikely that you'll no longer be in possession of the ones you currently have.

Come on, this looks too much imo :).

Why do security researchers do that?

Share this post


Link to post
Share on other sites
1 minute ago, tulo said:

Why do security researchers do that?

They get paid to do this stuff by companies before they take a deeper look, they don't just randomly attack servers on the internet. At least the ones that want to stay out of trouble and in business. Alternatively they work for a large organization that protects them somewhat (universities, companies) and they get paid to do this stuff by their employer.

Share this post


Link to post
Share on other sites

@tulo what do you want from them?

If it's just to tell them about the vulnerability, then just send something untraceable. Old fashioned letter from not your local post box.

If you are after money, and they don't have a bounty programme... you risk coming across as if you are blackmailing them...

Share this post


Link to post
Share on other sites
2 minutes ago, XRP-JAG said:

@tulo what do you want from them?

If it's just to tell them about the vulnerability, then just send something untraceable. Old fashioned letter from not your local post box.

If you are after money, and they don't have a bounty programme... you risk coming across as if you are blackmailing them...

Let's say that the person who found the bug doesn't want anything from them, just inform about the bug.

The problem is that if he tells them the vulnerability they'll find which accounts did that.

If he doesn't tell them probably someone will sooner or later use that vulnerability and they'll again find out all the accounts that exploited that :wacko:. But in this case it will be worst because someone can have exploited that badly with huge losses.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...