Hello OBB,
I received feedback from a website owner regarding my submission about illegal activity, ethics, and OpenBugBounty platform.
"Hacking other people's sites is illegal in Europe, even an attempt to do so, no matter what your intentions are."
"...you should take a step back and rethink whether the twisted ethics behind openbugbounty are actually understood and appreciated..."
"There isn't even an option to respond to the issue..."
I have followed OBB rules.
Maybe you can provide a response.
And maybe Researchers from Europe can also provide theirs responses from Researcher's perspective.
Regards.
Illegal activity, ethics, and OpenBugBounty platform
-
metamorfosec_id
- Posts:269
- Joined:Mon Apr 30, 2018 7:35 am
-
metamorfosec_id
- Posts:269
- Joined:Mon Apr 30, 2018 7:35 am
Re: Illegal activity, ethics, and OpenBugBounty platform
Additional feedback from same website owner above:
...my initial reaction to the (openbugbounty) notification: I got spammed...
...openbugbounty doesn't disclose their identity, location, responsible managers, etc. This is illegal in Europe, too...
...my initial reaction to the (openbugbounty) notification: I got spammed...
...openbugbounty doesn't disclose their identity, location, responsible managers, etc. This is illegal in Europe, too...
Re: Illegal activity, ethics, and OpenBugBounty platform
So, it's not really illegal... it's "grey".
When doing business in Europe, you need to have a disclaimer and contact details on your website. Depending on where you are, that might rule or not. I don't know where OBB makers are originating.
Hacking is illegal in Germany/Europe that's true. But speaking for Germany, in very simple words:
- It's illegal to circumvent prevention measures to access information which are not intended to be accessed by you or making these information accessible to any others. §202a STGB
- it's illegal to use technical mesaures to tap on communication which is not intended to be accesses by you or making the communication accessible to others. §202b STGB
- it's illegal to generate/code password lists or password cracking tools, hacking tools or tools which are intended to violate law, or distribute such §202c
So XSS/Open Redirect/CSRF and is none one of that. Reporting data which is publicly accessible (IAC or PII disclosure) not too as there is obviously no prevention measure then.
SQLi could be found a invasive way to manipulate information or a circumvention measure to access information in the DV and would be therefore illegal.
However, it's always a slim line to walk on with no guarantee not to face a law case
When doing business in Europe, you need to have a disclaimer and contact details on your website. Depending on where you are, that might rule or not. I don't know where OBB makers are originating.
Hacking is illegal in Germany/Europe that's true. But speaking for Germany, in very simple words:
- It's illegal to circumvent prevention measures to access information which are not intended to be accessed by you or making these information accessible to any others. §202a STGB
- it's illegal to use technical mesaures to tap on communication which is not intended to be accesses by you or making the communication accessible to others. §202b STGB
- it's illegal to generate/code password lists or password cracking tools, hacking tools or tools which are intended to violate law, or distribute such §202c
So XSS/Open Redirect/CSRF and is none one of that. Reporting data which is publicly accessible (IAC or PII disclosure) not too as there is obviously no prevention measure then.
SQLi could be found a invasive way to manipulate information or a circumvention measure to access information in the DV and would be therefore illegal.
However, it's always a slim line to walk on with no guarantee not to face a law case
Who is online
Users browsing this forum: No registered users and 2 guests