Under attack

source_dr · Post by **source_dr** » Thu Apr 25, 2019 7:40 pm

Hello,
Today, i received an email saying that i have a XSS vulnerability. I did register one hour after and I did send a message to the alerter (no response yet) but in the meanwhile, the url of the site has been disclosed AND because it is public I received today dozens of attacks when i generally have one or two per week.
It means that your list is saying to hackers : you can attack this site as there are vulnerability and here is the type of vulnerability.

I would found more ethical :
1. to send the alert by email, but waiting 2 weeks for a response to disclose that the site has vulnerability and then only you could disclose the url.

Otherwise, it is really "here is a target, please go for it" like hunting.

Question now: how to unlist my site ?

Thank you

secuninja · Post by **secuninja** » Fri Apr 26, 2019 4:45 am

usually there is a 90 day hold time before the report get's released publicly.
quite sure admin can help you out.

Post by **x1admin** » Fri Apr 26, 2019 6:38 am

source_dr wrote: ↑
Thu Apr 25, 2019 7:40 pm
Hello,
Today, i received an email saying that i have a XSS vulnerability. I did register one hour after and I did send a message to the alerter (no response yet) but in the meanwhile, the url of the site has been disclosed AND because it is public I received today dozens of attacks when i generally have one or two per week.
It means that your list is saying to hackers : you can attack this site as there are vulnerability and here is the type of vulnerability.

I would found more ethical :
1. to send the alert by email, but waiting 2 weeks for a response to disclose that the site has vulnerability and then only you could disclose the url.

Otherwise, it is really "here is a target, please go for it" like hunting.

Question now: how to unlist my site ?

Thank you

Vulnerability details hidden for 90 days. You can ask researcher make report private or create bug bounty program and select "allow private submissions only"

source_dr · Post by **source_dr** » Fri Apr 26, 2019 3:03 pm

Thank you for the answer.

geeknik · Post by **geeknik** » Thu Jul 18, 2019 3:49 pm

secuninja wrote: ↑
Fri Apr 26, 2019 4:45 am
usually there is a 90 day hold time before the report get's released publicly.
quite sure admin can help you out.

x1admin wrote: ↑
Fri Apr 26, 2019 6:38 am
Vulnerability details hidden for 90 days. You can ask researcher make report private or create bug bounty program and select "allow private submissions only"

Yes, but the base domain is still public when you submit a vulnerability and that is what this site owner is talking about. Hiding the base domain for X weeks after submission makes sense.

GordSchramm · Post by **GordSchramm** » Fri Jul 19, 2019 1:00 am

geeknik wrote: ↑
Thu Jul 18, 2019 3:49 pm

secuninja wrote: ↑
Fri Apr 26, 2019 4:45 am
usually there is a 90 day hold time before the report get's released publicly.
quite sure admin can help you out.

x1admin wrote: ↑
Fri Apr 26, 2019 6:38 am
Vulnerability details hidden for 90 days. You can ask researcher make report private or create bug bounty program and select "allow private submissions only"
Yes, but the base domain is still public when you submit a vulnerability and that is what this site owner is talking about. Hiding the base domain for X weeks after submission makes sense.

I agree

Open Bug Bounty Community Forum

Under attack

Re: Under attack

Re: Under attack

Re: Under attack

Re: Under attack

Re: Under attack

Who is online