Ask HN: How do I respond to someone claiming he has an exploit on my site?
He's gone straight to asking if we'll pay for an exploit. I'm pretty sure it's a scam but obviously don't want to get in a situation where we've ignored a real issue. We don't have an official bug bounty program, but we'd be happy to pay out if it turns out to be a real exploit. What's the right course of action here?
14 comments
[ 0.29 ms ] story [ 39.5 ms ] threadhttps://www.fbi.gov/investigate/cyber
https://www.fbi.gov/file-repository/ransomware-prevention-an...
[1] - https://www.hackerone.com/
On a side note, look through all of your access logs leading up to the communication. That can give you an idea of what bots and security tools were enumerating. Then dig deeper into each script they hit with your security team, or hire someone to analyze your code. Also, try to export dumps of your databases and look for things that should not be there. i.e. entries by unauthenticated services or users.
The problem is that the process of creating a HackerOne bounty program can take a short while to get to the stage where you can invite hackers - if you have an active hacker on the line like OP does, that could be too long of a wait.
Before I had a bounty program I'd politely reply asking for information on the vulnerability, but now I do have a bounty program so I just point them there.
If the issue turns out to be real and you want to reward them, be very careful paying them directly, as often they seem to want Google-level bounty values even though you might only be a small business.
If you are going to pay, make sure you clearly state scope and the type of exploits you pay for. Otherwise there is a high probability of it being something in the realm of being able to iframe your site.
2) Accept that #1 might happen. As in truly accept this as a possibility
3) Work in ways to mitigate #1. What active steps can you start taking right this very minute to mitigate any potential damage done from the worst case scenario in #1?
If you can’t, talk to them about what kind of exploit it is (so you can agree on a reasonable payout) and then pay on the condition they do a non-destructive demo of the exploit.