Security Vulnerability Notification with email sender NOT from openbugsbounty.com

Questions or suggestions about the platform
Post Reply
LKSPN
Posts:1
Joined:Fri Nov 12, 2021 11:30 am
Security Vulnerability Notification with email sender NOT from openbugsbounty.com

Post by LKSPN » Tue Nov 16, 2021 3:07 pm

I have no idea, why we got this, but is it possible, that someone found a sql injection vulnerability on one from our websites.
The email sender send it from an adress [email protected]
This is the content:
***
First email:
I have found a vulnerability on xxx.de with a very high critical risk to your system, it leads access to the whole website's database, including the personal data of the users.
I am willing to reveal the vulnerability to you as soon as possible, let me know if this is the appropriate email address to disclose & handle it.
Looking forward to hearing from you,
Best regards.
***
2nd email:
I am writing back to you because I have not received any response from your team in regards to the last email I sent about a critical vulnerability.
I do not understand if you take critical vulnerabilities to your system like this one seriously or not, but you are to be obliged to keep a safe and secure envoirment for your users.
At least this applies according to the law of GDPR,
The vulnerability I am talking about is related to SQL Injection which if exploited exposes your whole database to a 3rd party.
Again I am looking forward to hearing from you as soon as possible and find a solution,
Best regards.
***
Never received outside from openbugbounty.org such an email like this.
We don't answer cause we are not sure, what he wants - money, attention?

Does anyone have an advice?

Greetings, sunny

User avatar
0xr0cky
Posts:66
Joined:Sun Jul 14, 2019 12:31 am
Contact:

Re: Security Vulnerability Notification with email sender NOT from openbugsbounty.com

Post by 0xr0cky » Wed Nov 17, 2021 6:06 pm

For this particular web vulnerability OBB doesn't accept SQL injection reports. However, this doesn't necessarily mean that this web vulnerability is not present...

Personally, I would want to know if my systems are affected by a SQL injection vulnerability (or any other type), so I would do everything in my power to get in touch with a person who supposedly found this vulnerability.

If I had a web application affected by a SQLi vuln and an independent researcher had reported it to me responsibly, rather than maliciously exploiting it, I would gladly accept to pay him with money and/or attention.

In any case, the issue is delicate and I would be very careful in communicating with an ethical hacker who contacts me.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 2 guests