Better communication with website owners
Hi Folks,
We just had a case when one researcher continuously and systematically did not answer a website owner truly willing to fix the vulnerabilities, but was posting new submissions instead in the meanwhile (our emails remained ignored as well). Such behavior is definitely against OBB values of responsible and coordinated disclosure aimed to help website owners. This is an isolated case but we want to prevent any similar situations in the future.
Please:
Update your profiles and make sure you have an email AND some alternatives contacts there. Profiles without contact details my be suspended unless contacts added.
Respond to website owners as promptly as practical and reasonable. Abandoned reports (i.e. you keep silence over 45 days despite website owner’s requests for details) may be deleted or disclosed to the website owner before public disclosure. Otherwise it’s just unfair towards the website owners who cannot fix the vulnerabilities.
We really try to make things comfortable for everyone here and please follow these simple rules =)
We just had a case when one researcher continuously and systematically did not answer a website owner truly willing to fix the vulnerabilities, but was posting new submissions instead in the meanwhile (our emails remained ignored as well). Such behavior is definitely against OBB values of responsible and coordinated disclosure aimed to help website owners. This is an isolated case but we want to prevent any similar situations in the future.
Please:
Update your profiles and make sure you have an email AND some alternatives contacts there. Profiles without contact details my be suspended unless contacts added.
Respond to website owners as promptly as practical and reasonable. Abandoned reports (i.e. you keep silence over 45 days despite website owner’s requests for details) may be deleted or disclosed to the website owner before public disclosure. Otherwise it’s just unfair towards the website owners who cannot fix the vulnerabilities.
We really try to make things comfortable for everyone here and please follow these simple rules =)
Re: Better communication with website owners
Hey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.
Re: Better communication with website owners
We implement researchers rating soonsecuninja wrote: ↑Thu Mar 01, 2018 6:19 amHey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.
-
- Posts:16
- Joined:Thu Oct 12, 2017 2:26 pm
Re: Better communication with website owners
Great idea!secuninja wrote: ↑Thu Mar 01, 2018 6:19 amHey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.
-
- Posts:18
- Joined:Sun Sep 24, 2017 4:30 am
Re: Better communication with website owners
Definitely a great idea
Re: Better communication with website owners
Perhaps it's down to the fact that some website owners are ignorant and rude.
I have worked with various website owners in the past that have promised me a reward upon disclosure, when disclosure is issued, they proceed to ignore me.
Now, if one reported another vulnerability on their website through www.openbugbounty.org, why would one respond to them with details on the new vulnerability?
I have worked with various website owners in the past that have promised me a reward upon disclosure, when disclosure is issued, they proceed to ignore me.
Now, if one reported another vulnerability on their website through www.openbugbounty.org, why would one respond to them with details on the new vulnerability?
Re: Better communication with website owners
because we're (mostly) the good guys
-
- Posts:2
- Joined:Tue Apr 03, 2018 6:22 pm
Re: Better communication with website owners
I submitted a request regarding lack of contact from a researcher at https://www.openbugbounty.org/about/contacts/ and no one has returned our message. What additional steps are necessary?
Re: Better communication with website owners
can you provide the report id?
Who is online
Users browsing this forum: No registered users and 2 guests