Security Vulnerability Notification with email sender NOT from openbugsbounty.com
Posted: Tue Nov 16, 2021 3:07 pm
I have no idea, why we got this, but is it possible, that someone found a sql injection vulnerability on one from our websites.
The email sender send it from an adress [email protected]
This is the content:
***
First email:
I have found a vulnerability on xxx.de with a very high critical risk to your system, it leads access to the whole website's database, including the personal data of the users.
I am willing to reveal the vulnerability to you as soon as possible, let me know if this is the appropriate email address to disclose & handle it.
Looking forward to hearing from you,
Best regards.
***
2nd email:
I am writing back to you because I have not received any response from your team in regards to the last email I sent about a critical vulnerability.
I do not understand if you take critical vulnerabilities to your system like this one seriously or not, but you are to be obliged to keep a safe and secure envoirment for your users.
At least this applies according to the law of GDPR,
The vulnerability I am talking about is related to SQL Injection which if exploited exposes your whole database to a 3rd party.
Again I am looking forward to hearing from you as soon as possible and find a solution,
Best regards.
***
Never received outside from openbugbounty.org such an email like this.
We don't answer cause we are not sure, what he wants - money, attention?
Does anyone have an advice?
Greetings, sunny
The email sender send it from an adress [email protected]
This is the content:
***
First email:
I have found a vulnerability on xxx.de with a very high critical risk to your system, it leads access to the whole website's database, including the personal data of the users.
I am willing to reveal the vulnerability to you as soon as possible, let me know if this is the appropriate email address to disclose & handle it.
Looking forward to hearing from you,
Best regards.
***
2nd email:
I am writing back to you because I have not received any response from your team in regards to the last email I sent about a critical vulnerability.
I do not understand if you take critical vulnerabilities to your system like this one seriously or not, but you are to be obliged to keep a safe and secure envoirment for your users.
At least this applies according to the law of GDPR,
The vulnerability I am talking about is related to SQL Injection which if exploited exposes your whole database to a 3rd party.
Again I am looking forward to hearing from you as soon as possible and find a solution,
Best regards.
***
Never received outside from openbugbounty.org such an email like this.
We don't answer cause we are not sure, what he wants - money, attention?
Does anyone have an advice?
Greetings, sunny