Any way to report an Abusive "Researcher"

[pawprint_net]

I had someone report an XSS "volunerability" through this platform. This was a minor issue that posed no risk and I never offered any reward for bugs in the first place.

The Researcher in question is now spamming me with abusive emails because I didn't respond to their demands for payment. I'm wondering if you have any method for reporting abuse in this manner.

I can provide email examples if necessary.

you are francophonie scammer !!
come from poor country "third world" to live in canada !!
you dont deserve to live in canada !!
you have to change this retard mentality !!

On Sun, Mar 18, 2018 at 6:40 PM, <email redacted for now> wrote:

your platform have multiple fucked bugs !!
are you a stupid developer ??
or just an idiot asshole ??
you seems that you are not educated ??
you don't know to respect other and how to code !!
hahahahhaha it's my first time see an idiot like you !!
you have to pay you know this !!

[secuninja]

wow... such idiots are killing the spirit of our community...
sad to see

[pawprint_net]

I did look through the community and yes I do not think that this individual represents the larger community. Sadly this was my first experience here, but I think the motives are a great thing and fully support the concept.

In part that is why I would like to identify the issue. This person didn't only contact me but all my customers and I have no idea what they are thinking as a result.

Had it been a reasonable response to an actual volunerability, I would have considered a reward for the discovery, despite never offering any bug bounties. I'm a lone developer that has since moved on to other employ and this is no longer my focus but I do always assume I have bugs and would appreciate mitigating them for the protection of my remaining users.

This type of hostile person isn't going to make things easy for the community here though. I do hope there is a way to address cases like this.

I would appreciate any suggestions for how to deal with this.

[GordSchramm]

This type of behavior by a researcher is intolerable. I am sorry you had to experience this incident and this just puts a dark cloud upon us as a community. I believe there should be a feedback form that a site owner can fill out for abusive incidents by "researchers" and be investigated.

Regards,

OmniGooch

[secuninja]

This type of hostile person isn't going to make things easy for the community here though. I do hope there is a way to address cases like this.

I would appreciate any suggestions for how to deal with this.

quite sure the admins will respond.
If you feed there could be any more vulnerabilities just contact one of the most "trusted" researchers you can find on the start page. They cannot access the report as they are private before the disclosure date, but maybe they can find the same issue and help you out.

[x1admin]

I had someone report an XSS "volunerability" through this platform. This was a minor issue that posed no risk and I never offered any reward for bugs in the first place.

The Researcher in question is now spamming me with abusive emails because I didn't respond to their demands for payment. I'm wondering if you have any method for reporting abuse in this manner.

I can provide email examples if necessary.

you are francophonie scammer !!
come from poor country "third world" to live in canada !!
you dont deserve to live in canada !!
you have to change this retard mentality !!

On Sun, Mar 18, 2018 at 6:40 PM, <email redacted for now> wrote:

your platform have multiple fucked bugs !!
are you a stupid developer ??
or just an idiot asshole ??
you seems that you are not educated ??
you don't know to respect other and how to code !!
hahahahhaha it's my first time see an idiot like you !!
you have to pay you know this !!

Hello, can you provide us researcher nickname?

[andrevcalvinho]

Hello everybody.

I will not defend the security researcher in question because it is an intolerable behavior. But I think that when someone makes a complaint, it should be presented with some kind of evidence so that someone in the future is not wrongfully convicted.

I believe there is a need for an area to report undesirable behaviors of security researchers with some type of proof (an attachment for example with a screenshot of an email with its headers). This is just a suggestion.

In this way the researcher would be confronted with the proof so that he could defend himself.

Once again, I'm not defending anyone or accusing either, but if we are going to punish someone, we have to be fair. We know that there are bad people on both sides.

Also, website owners must keep in mind that OpenBugBounty is not responsible for security researcher actions, as the project only verifies that the vulnerability exists and report it the website owners. Of course, that if the project is aware of less correct attitudes of a security researcher, it should take steps to distance its actions from the values that the project follows.

With all that said, I hope the situation is resolved in the best way.

[pawprint_net]

I agree it is best to do this in a private area and provide examples to avoid abuse from any side. To that end I replied to the request for more information (namely the individual's nic) privately and will trust that the site admins can deal with the situation in that forum, where I can provide more information if they request it.

It's for this same reason that I redacted the from email in the first sample.

[Cole]

Hope this gets taken care of ASAP. This type of behavior is not needed here..

[x1admin]

Such behavior is undoubtedly inappropriate and unacceptable unless there are some background facts we are not aware of (e.g. you asked the researcher in question to perform some additional testing). With a big respect to researchers' efforts, we firmly condemn any pushy demands for monetary payments unless this was agreed in advance with the website owner.

Please tell the researcher that such behavior is subject to account suspension if he will continue. Every website owner is free to provide any award they deem fair, including no award at all.

Very soon website owners will be able to rate security researchers and write their opinion about the researchers and their submissions.