Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How do I report vulnerabilities and bugs?
5 points by zerotosixty on Dec 15, 2021 | hide | past | favorite | 4 comments
Very frequently I notice bugs and vulnerabilities to different websites / products / saas.

Some of them are minor, and some are definitely very severe. From famous startups to really big companies.

What would / can you guys do ethically & legally? I did find some horror stories in the past about people reporting vulnerabilities

Is there a way to ethically make a decent living from this? IE: consulting, employed, self-employed, etc?

It seems most of it is not crystal clear and certain as other career tracks. IE: if i wanted to switch careers to be a PM or sales, etc and i wanted to be an insta millionaire, there's a well documented path for that




> I used to report these things, but half of the time, they usually don't get it fixed

You've definitely got to prioritize here. Minor things, send once and move on for the most part. Some things really don't warrant a response; if you tell me I'm exposing TLS 1.0 and the world is going to end, I'm going to ignore you because I have reasons to run TLS 1.0 and too many poor quality reports; same thing if I expose the version of Apache I'm running --- I don't care if some checklist says I shouldn't do it.

If you tell me such and such link is XSS (and it actually is), I'll try to fix it ASAP and hopefully let you know, but sometimes communication falls through the cracks; anyway, you'll be able to see it's fixed. For real issues, it's probably worth trying to follow up after a couple weeks. If they have a public security program, use that, otherwise customer service and whois contacts, maybe send a paper mail to the CEO. Look at how project zero reports on communication with the vulnerabilities they report, and try to emulate that. Obviously, they've got a lot of industry contacts and their team is well known, so they'll have an easier time getting in touch with people than you.

> Is there a way to ethically make a decent living from this? IE: consulting, employed, self-employed, etc?

Depends on where you live. If you live in a low cost country, you might be able to make enough from bug bounties. Otherwise, you're going to need to figure out how to get hired, either as a general researcher doing reports on the world at large (like you're currently doing), or as a consultant for specific clients identified in advance. While you might get lucky and turn some reports into a business relationship, it's tricky to do that without looking like you're begging for bounties https://www.troyhunt.com/beg-bounties/

Apply to existing security consulting companies and see how that goes.


Do you know if there a resources that tells you how to open a line to potential clients? IE: warm intro, cold call, etc.

It seems people prefer to report things anonymously especially when the bug bounty programs are worth so little.


I've only once reported what I perceived as a vulnerability in the Signal Android app.

Three months on since the report, the issue still exists and not even an acknowledgement of the report.


Companies often ignore bugs and vulnerabilities report. How about reporting to their country's CERT?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: