Better communication with website owners

[x1admin]

Hi Folks,



We just had a case when one researcher continuously and systematically did not answer a website owner truly willing to fix the vulnerabilities, but was posting new submissions instead in the meanwhile (our emails remained ignored as well). Such behavior is definitely against OBB values of responsible and coordinated disclosure aimed to help website owners. This is an isolated case but we want to prevent any similar situations in the future.



Please:

Update your profiles and make sure you have an email AND some alternatives contacts there. Profiles without contact details my be suspended unless contacts added.
Respond to website owners as promptly as practical and reasonable. Abandoned reports (i.e. you keep silence over 45 days despite website owner’s requests for details) may be deleted or disclosed to the website owner before public disclosure. Otherwise it’s just unfair towards the website owners who cannot fix the vulnerabilities.



We really try to make things comfortable for everyone here and please follow these simple rules =)

[secuninja]

Hey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.

[x1admin]

Hey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.

We implement researchers rating soon

[secuninja]

awesome

[RiceNinja248]

Hey, why not installing a process in which the notified website owners can also rate researchers?
Add some kind of token to the notification email which can be used once the report is marked as patched or public disclosed.
Also add a button like "Researcher is unresponsive" to inform the admins when a owner has issues to get details.

Great idea!

[kongwenbin]

Definitely a great idea

[vpq_wtf]

Perhaps it's down to the fact that some website owners are ignorant and rude.

I have worked with various website owners in the past that have promised me a reward upon disclosure, when disclosure is issued, they proceed to ignore me.

Now, if one reported another vulnerability on their website through www.openbugbounty.org, why would one respond to them with details on the new vulnerability?

[secuninja]

because we're (mostly) the good guys

[ob1ob1ob1ob1ob1]

I submitted a request regarding lack of contact from a researcher at https://www.openbugbounty.org/about/contacts/ and no one has returned our message. What additional steps are necessary?

[secuninja]

can you provide the report id?