Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Should I report a security vulnerability?
7 points by gexterra on June 7, 2013 | hide | past | favorite | 5 comments
Will browsing through my attendance on my schools registration system, I started playing with the URL so I could see the data I wanted, through doing this I noticed so major SQL injection vulnerabilities that gave me the ability to alter the data and view other students.

Given the cases of this backfiring on the person who reports it; what should I do?



What you did was unlawful. Had you downloaded the software they were using and tested it yourself, you'd have been fine. But testing live web applications that other people operate is dangerous.

Speaking from the vantage point of someone who tests applications for a living and helps manage many tens of concurrent projects: it is surprisingly easy to crash a site by dicking around with URLs trying to find SQL injections (here's a classic example: some other part of the system you weren't aware of caches every hit to the URL you're testing and displays a result based on it to users elsewhere; your query generates an exception, bang, feature dead).

If you noodle around with someone's application just to see how riddled with SQL injections it is, and you blow up their app, there's a decent change your actions were tortious. You can get sued. Nobody will care about your intentions; everyone (at least, everyone who matters) will tell you you shouldn't have been testing to begin with.

I think you're in a bit of a pickle, because I think it's also unethical to sit on your hands if you know a firm is putting its users at risk by fielding a comically insecure application. I'm on the side of "report anonymously". It's obviously possible to do this safely if you try hard enough, but I don't even think you need to try that hard.

A growing number of US companies, most notably Google and Facebook, now reward people who find vulnerabilities on their sites. They've deliberately made it much harder to grief people who test them for vulnerabilities. This is a trend you could reward by giving them more of your business.


Do not report it at all - even anonymously! My friends wife works for one of the top digital forensics firms in the US (they're who lawyers use to understand what happened and when). He's told me too many unfortunate cases where people reported items likes this to Fortune 500 companies, that were then prosecuted harshly. I have issues with it - but it's how the world works. I would stay away from it.


I wouldn't even attempt to report it anonymously.

I found something similar on one of my schools internal sites, there was even a disclaimer that said something along the lines of 'Please don't enter any semicolons or quotation marks...'. I just walked away from it. It's not worth getting in trouble because, for some reason, schools hire incredibly shitty web developers.


You should check if the software is listed on the bugcrowd bug bounty list. Its a list of websites and software which accept responsible disclosure of security issues.

http://bugcrowd.com/list-of-bug-bounty-programs/

If you can't find it there you should send them an email and suggest they add it.


Report it anonymously.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: