Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?

• Previous message (by thread): Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?
• Next message (by thread): Anyone have contacts for Akamai GeoIP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I had a situation like that a few years ago.

Someone accidentally included the .git directory in a docker image that was
deployed to a customer's website.
Unfortunately early checkins of the .git directory included a copy of the
WordPress (yuck!) config file with hard-coded passwords. Those were moved
to environment variables, but never changed. And for some reason the
"developer" left indexing turned on. So the person was able to download the
git directory and walk back through the history and found the
passwords....and then connected to the database which had some mild PHI
(first names and phone numbers).

Since the tech contact for the domain came back to my company and not the
developer, they reached out to me. After a few pleasant emails back and
forth he told me exactly where he found the passwords. I rotated passwords
and yelled at the developer, and thanked the guy who found it. He kindly
asked if I would "donate" to him by buying something from his Amazon
wishlist. I should note that he asked *after* he told us exactly what the
problem was.

I discussed it with the client and they picked some ~$400 item from the
list and sent it to him.

It could have been worse, but everyone involved agreed that it would be
nice to reward the guy for pointing out the blunder.

$400 was a small price to pay for the client since they do something like
$10 million USD per month. After that the client paid for a full security
audit of their web presence by a 3rd party company and everything came back
clean.

Do what you think is appropriate, but I'm all for encouraging responsible
and positive disclosure as well as being kind. If the guy had started the
email with "send me money or else I'll disclose" the entire process would
have been very different.

-A

On Wed Mar 2, 2022, 10:30 PM GMT, Brie <bruns at 2mbit.com> wrote:

I just got this in my e-mail...

------
From: xxxxxxx <xxxxxxxxxx6 at iqra.edu.pk>
Date: Thu, 3 Mar 2022 03:14:03 +0500
Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx at mail.gmail.com>
Subject: Found Security Vulnerability
To: undisclosed-recipients:;
Bcc: sxxxxxxxxx at ahbl.org

Hi Team

I am a web app security hunter. I spent some time on your website and found
some vulnerabilities. I see on your website you take security very
passionately.

Tell me will you give me rewards for my finding and responsible
disclosure? if Yes, So tell me where I send those vulnerability reports?
share email address.

Thank you

Good day, I truly hope it treats you awesomely on your side of the screen :)

xxxxx Security
------


Is soliciting for money/rewards when the site makes no indication they
offer them a common thing now?

If you want to see a copy of the original message, let me know off list
and I'll send it to you.


-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220304/7c292047/attachment.html>

• Previous message (by thread): Is soliciting money/rewards for 'responsible' security disclosures when none is stated a thing now?
• Next message (by thread): Anyone have contacts for Akamai GeoIP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]