How to proceed with a white-hat hacker claiming a vulnerability?
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS vulnerability.
We do not have any legal statement that I know of regarding VDP (vulnerability disclosure policy) yet.
My questions:
- Basically how to proceed or even should we? (Are they legit?)
- What is the common expectation from a white hacker?
- How to validate the vulnerability?
disclosure bug-bounty white-hat
edited 6 hours ago
Anders
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS vulnerability.
We do not have any legal statement that I know of regarding VDP (vulnerability disclosure policy) yet.
My questions:
- Basically how to proceed or even should we? (Are they legit?)
- What is the common expectation from a white hacker?
- How to validate the vulnerability?
disclosure bug-bounty white-hat
edited 6 hours ago
Anders
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS vulnerability.
We do not have any legal statement that I know of regarding VDP (vulnerability disclosure policy) yet.
My questions:
- Basically how to proceed or even should we? (Are they legit?)
- What is the common expectation from a white hacker?
- How to validate the vulnerability?
disclosure bug-bounty white-hat
edited 6 hours ago
Anders
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS vulnerability.
We do not have any legal statement that I know of regarding VDP (vulnerability disclosure policy) yet.
My questions:
- Basically how to proceed or even should we? (Are they legit?)
- What is the common expectation from a white hacker?
- How to validate the vulnerability?
disclosure bug-bounty white-hat
disclosure bug-bounty white-hat
edited 6 hours ago
Anders
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
Anders
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
Anders
49.2k22143160
edited 6 hours ago
Anders
49.2k22143160
edited 6 hours ago
Anders
49.2k22143160
49.2k22143160
asked 9 hours ago
VcodeVcode
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
VcodeVcode
1016
asked 9 hours ago
VcodeVcode
1016
1016
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Vcode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.
There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.
In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.
As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
add a comment |
I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:
What the researcher wants
Usually:
- Public credit for the discovery, such as a CVE or a research paper.
- Sometimes money in the form of a bug bounty.
What you want
Usually:
- Not to be publicly humiliated.
- To improve the security of your product.
How to proceed
From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
add a comment |
To answer each of your questions:
1. Basically how to proceed or even should we?
I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:
A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.
Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.
What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.
You might also want or receive remediation advice, risk scores, etc. from the researcher.
VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.
2. What is the common expectation from a white hacker?
Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.
Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.
3. How to validate?
Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.
Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Vcode is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203521%2fhow-to-proceed-with-a-white-hat-hacker-claiming-a-vulnerability%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.
There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.
In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.
As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
add a comment |
Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.
There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.
In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.
As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
add a comment |
Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.
There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.
In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.
As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.
There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.
In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.
As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
answered 8 hours ago
Steve SetherSteve Sether
17.2k53566
17.2k53566
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
add a comment |
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
8
8
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
"try to get as much information as possible upfront while revealing little or nothing." Easy way to do this: "Thanks for alerting us! Could you provide steps to reproduce?" Reveals nothing, promises nothing, asks for all the info you need. I wouldn't even ask for source code unless absolutely necessary, given that you won't want to execute it.
– jpmc26
4 hours ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
@jpmc26 I think asking for source code separates the pretenders and probers from the real white hats. Some people might just wasting your time, and source code gets down to the brass tacks.
– Steve Sether
1 hour ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
I am fairly certain that providing legitimate steps to reproduce would be equally difficult if they haven't actually found a vulnerability. If it really is complicated enough to necessitate source code, someone legitimate would probably just provide it when asked for the steps, or at least offer to provide it.
– jpmc26
27 secs ago
add a comment |
I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:
What the researcher wants
Usually:
- Public credit for the discovery, such as a CVE or a research paper.
- Sometimes money in the form of a bug bounty.
What you want
Usually:
- Not to be publicly humiliated.
- To improve the security of your product.
How to proceed
From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
add a comment |
I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:
What the researcher wants
Usually:
- Public credit for the discovery, such as a CVE or a research paper.
- Sometimes money in the form of a bug bounty.
What you want
Usually:
- Not to be publicly humiliated.
- To improve the security of your product.
How to proceed
From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
add a comment |
I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:
What the researcher wants
Usually:
- Public credit for the discovery, such as a CVE or a research paper.
- Sometimes money in the form of a bug bounty.
What you want
Usually:
- Not to be publicly humiliated.
- To improve the security of your product.
How to proceed
From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:
What the researcher wants
Usually:
- Public credit for the discovery, such as a CVE or a research paper.
- Sometimes money in the form of a bug bounty.
What you want
Usually:
- Not to be publicly humiliated.
- To improve the security of your product.
How to proceed
From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
answered 8 hours ago
Mike OunsworthMike Ounsworth
39.7k1593141
39.7k1593141
add a comment |
add a comment |
To answer each of your questions:
1. Basically how to proceed or even should we?
I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:
A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.
Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.
What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.
You might also want or receive remediation advice, risk scores, etc. from the researcher.
VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.
2. What is the common expectation from a white hacker?
Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.
Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.
3. How to validate?
Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.
Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
add a comment |
To answer each of your questions:
1. Basically how to proceed or even should we?
I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:
A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.
Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.
What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.
You might also want or receive remediation advice, risk scores, etc. from the researcher.
VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.
2. What is the common expectation from a white hacker?
Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.
Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.
3. How to validate?
Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.
Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
add a comment |
To answer each of your questions:
1. Basically how to proceed or even should we?
I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:
A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.
Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.
What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.
You might also want or receive remediation advice, risk scores, etc. from the researcher.
VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.
2. What is the common expectation from a white hacker?
Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.
Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.
3. How to validate?
Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.
Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
To answer each of your questions:
1. Basically how to proceed or even should we?
I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:
A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.
Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.
What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.
You might also want or receive remediation advice, risk scores, etc. from the researcher.
VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.
2. What is the common expectation from a white hacker?
Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.
Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.
3. How to validate?
Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.
Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
answered 7 hours ago
Buffalo5ixBuffalo5ix
689313
689313
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
add a comment |
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
1
1
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
The report is on XSS and has the remediation and reproduction part. it's a popup window which they claim an attacker can perform advance phishing attacks , perform unauthorized payment transaction or perform arbitrary actions on behalf of the victim.
– Vcode
7 hours ago
1
1
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
Thanks for the context! XSS can vary in severity, if they can truly perform unauthorized payment transactions like they say then it is certainly a critical issue. Of course make sure to validate this claim! It's very difficult to talk numbers without a sense of how big your company or security team is - I would consider anything less than $3,000 an insultingly low payout assuming you can really leverage this XSS to drain funds. Otherwise, figure out what the worst thing you can do with this attack is, anywhere from $500-$3000 would be typical for XSS.
– Buffalo5ix
7 hours ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
+1, good answer. One small critique. Unless a bug bounty has already been established, I don't think you should pay one, even if demanded. This changes the relationship from a social contract into a market contract. Social contracts generally provide more value than market ones and work well for smaller companies since they can maintain social contracts far more easily than large companies can. If you turn it into money, it's a different ballgame entirely. Giving credit where credit is due is more in line with the social contract.
– Steve Sether
57 mins ago
add a comment |
Vcode is a new contributor. Be nice, and check out our Code of Conduct.
Vcode is a new contributor. Be nice, and check out our Code of Conduct.
Vcode is a new contributor. Be nice, and check out our Code of Conduct.
Vcode is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203521%2fhow-to-proceed-with-a-white-hat-hacker-claiming-a-vulnerability%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
