Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: I found a security issue on a (known) website, should I report it? How?
3 points by sandreas on April 8, 2024 | hide | past | favorite | 6 comments
Hey HN,

Today I tinkered around with a public API and found a security issue (SQL injection). I don't want to get in trouble and I read about cases where the owner of the site sued the reporter of an issue.

I was not looking for issues, I'm not trying to sell this issue nor selling data - I found it accidentally. I could ignore it, but before someone is using this in a harmful way, I thought: Let's ask the experts.

There is no bug bounty program, the site is probably handcrafted (no frameworks like Keystone, WordPress or something).

So I would love get some advice how to handle this?!

Thank you.



> I don't want to get in trouble

Report it from a new, random email address not connected to you in any way. Try to reach the engineers directly so it doesn't go through someone non-technical.


Yeah this, I did this when I was reporting an issue to my bank.


Typically a company would post a contact channel for this type of stuff. The boilerplate is security@company.com, which is what my (small) startup does.

Barring that an email to the administrator through a contact form would work. If you're worried about how they will percieve this feedback, I'd start with a query before submitting the issue. "I noticed a potential security issue with your site. What is the best way to report it?".


> "I noticed a potential security issue with your site. What is the best way to report it?"

It should come with more back-story because companies (security@ email address) receive quite a few of similar emails and many are borderline spam. I'm talking about security researchers telling us they found something, then when we reply asking for details there's silence. To the point where we sometimes not even answer any more. It's a sad state of security research where some are spamming 100s of companies.


> I noticed a potential security issue with your site.

Please don't stop there! There's thousands of people who will try that hook, but if you try to reach out, you'll learn they claim insecure headers in http response and want bug bounty money for it whether you offer it or not.

If you're sending the email, make a new section with all the technical details included immediately. Otherwise you risk going straight to the bin.


Also check for a https://securitytxt.org/ file but it's rare.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: