Page 1 of 1
Website Owner Threatening Legal Action
Posted: Fri Mar 29, 2019 10:33 pm
by muhan_luo
Hey everyone,
I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?
Muhan
Re: Website Owner Threatening Legal Action
Posted: Sat Mar 30, 2019 2:53 am
by GordSchramm
muhan_luo wrote: ↑Fri Mar 29, 2019 10:33 pm
Hey everyone,
I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?
Muhan
I wouldn't worry about it......nothing they can actually do to prove criminality.......if anything they could only attempt something against OBB......also don't believe threats......hope you are using a VPN when "bug hunting"......also how can they find out who your ISP (Comcast) is??
Re: Website Owner Threatening Legal Action
Posted: Sat Mar 30, 2019 10:23 am
by x1admin
At first sight, the website seems to be insane. In most countries what you described is certainly not a crime (unless there are other malicious elements such as extortion for example, or usage of the XSS to spread malware).
Moreover, the owner may risk himself serious legal consequences for harassing you and making false claims. If your ISP has any questions, you can probably just briefly tell the facts and ask to stop bothering you with unwarranted claims.
Re: Website Owner Threatening Legal Action
Posted: Sat Mar 30, 2019 2:40 pm
by muhan_luo
GordSchramm wrote: ↑Sat Mar 30, 2019 2:53 am
muhan_luo wrote: ↑Fri Mar 29, 2019 10:33 pm
Hey everyone,
I recently reported a reflected XSS to a website owner. About a week later, I received an email threatening legal action. This person also apparently sent an email to Comcast to shut my internet down.
All I did was manually test for XSS. No automated tools like Nikto or Zap were used. This is my first time dealing with potential legal action for reporting a vulnerability. What should I do?
Muhan
I wouldn't worry about it......nothing they can actually do to prove criminality.......if anything they could only attempt something against OBB......also don't believe threats......hope you are using a VPN when "bug hunting"......also how can they find out who your ISP (Comcast) is??
I didn't use a VPN because I didn't want to seem like I'm hiding anything. I already posted my real name and a picture of me on my bio. I imagine that a VPN would not do me much good in concealing my identity.
Re: Website Owner Threatening Legal Action
Posted: Sat Mar 30, 2019 2:42 pm
by muhan_luo
x1admin wrote: ↑Sat Mar 30, 2019 10:23 am
At first sight, the website seems to be insane. In most countries what you described is certainly not a crime (unless there are other malicious elements such as extortion for example, or usage of the XSS to spread malware).
Moreover, the owner may risk himself serious legal consequences for harassing you and making false claims. If your ISP has any questions, you can probably just briefly tell the facts and ask to stop bothering you with unwarranted claims.
Thanks for the reassurance, but I'm still worried about this because the CFAA is really broad.