Website Owner Threatening Legal Action

Your experience of helping website owners
Post Reply
muhan_luo
Posts:7
Joined:Thu Feb 21, 2019 10:43 pm
Website Owner Threatening Legal Action

Post by muhan_luo » Fri Mar 29, 2019 10:33 pm

Hey everyone,

I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
Subject: Criminal Activity

PLEASE SHUT DOWN THIS KIDS INTERNET ASAP!!!!

His keeps adding more bounty sites to his list

https://www.openbugbounty.org/researchers/muhan_luo/

[email protected]

This activity is not acceptable.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?

Muhan

User avatar
GordSchramm
Posts:164
Joined:Thu Apr 28, 2016 11:26 pm

Re: Website Owner Threatening Legal Action

Post by GordSchramm » Sat Mar 30, 2019 2:53 am

muhan_luo wrote:
Fri Mar 29, 2019 10:33 pm
Hey everyone,

I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
Subject: Criminal Activity

PLEASE SHUT DOWN THIS KIDS INTERNET ASAP!!!!

His keeps adding more bounty sites to his list

https://www.openbugbounty.org/researchers/muhan_luo/

[email protected]

This activity is not acceptable.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?

Muhan
I wouldn't worry about it......nothing they can actually do to prove criminality.......if anything they could only attempt something against OBB......also don't believe threats......hope you are using a VPN when "bug hunting"......also how can they find out who your ISP (Comcast) is??

User avatar
x1admin
Site Admin
Posts:3101
Joined:Sun Nov 15, 2015 7:04 pm

Re: Website Owner Threatening Legal Action

Post by x1admin » Sat Mar 30, 2019 10:23 am

At first sight, the website seems to be insane. In most countries what you described is certainly not a crime (unless there are other malicious elements such as extortion for example, or usage of the XSS to spread malware).

Moreover, the owner may risk himself serious legal consequences for harassing you and making false claims. If your ISP has any questions, you can probably just briefly tell the facts and ask to stop bothering you with unwarranted claims.

muhan_luo
Posts:7
Joined:Thu Feb 21, 2019 10:43 pm

Re: Website Owner Threatening Legal Action

Post by muhan_luo » Sat Mar 30, 2019 2:40 pm

GordSchramm wrote:
Sat Mar 30, 2019 2:53 am
muhan_luo wrote:
Fri Mar 29, 2019 10:33 pm
Hey everyone,

I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
Subject: Criminal Activity

PLEASE SHUT DOWN THIS KIDS INTERNET ASAP!!!!

His keeps adding more bounty sites to his list

https://www.openbugbounty.org/researchers/muhan_luo/

[email protected]

This activity is not acceptable.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?

Muhan
I wouldn't worry about it......nothing they can actually do to prove criminality.......if anything they could only attempt something against OBB......also don't believe threats......hope you are using a VPN when "bug hunting"......also how can they find out who your ISP (Comcast) is??

I didn't use a VPN because I didn't want to seem like I'm hiding anything. I already posted my real name and a picture of me on my bio. I imagine that a VPN would not do me much good in concealing my identity.

muhan_luo
Posts:7
Joined:Thu Feb 21, 2019 10:43 pm

Re: Website Owner Threatening Legal Action

Post by muhan_luo » Sat Mar 30, 2019 2:42 pm

x1admin wrote:
Sat Mar 30, 2019 10:23 am
At first sight, the website seems to be insane. In most countries what you described is certainly not a crime (unless there are other malicious elements such as extortion for example, or usage of the XSS to spread malware).

Moreover, the owner may risk himself serious legal consequences for harassing you and making false claims. If your ISP has any questions, you can probably just briefly tell the facts and ask to stop bothering you with unwarranted claims.
Thanks for the reassurance, but I'm still worried about this because the CFAA is really broad.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests