I have no idea, why we got this, but is it possible, that someone found a sql injection vulnerability on one from our websites.
The email sender send it from an adress [email protected]
This is the content:
***
First email:
I have found a vulnerability on xxx.de with a very high critical risk to your system, it leads access to the whole website's database, including the personal data of the users.
I am willing to reveal the vulnerability to you as soon as possible, let me know if this is the appropriate email address to disclose & handle it.
Looking forward to hearing from you,
Best regards.
***
2nd email:
I am writing back to you because I have not received any response from your team in regards to the last email I sent about a critical vulnerability.
I do not understand if you take critical vulnerabilities to your system like this one seriously or not, but you are to be obliged to keep a safe and secure envoirment for your users.
At least this applies according to the law of GDPR,
The vulnerability I am talking about is related to SQL Injection which if exploited exposes your whole database to a 3rd party.
Again I am looking forward to hearing from you as soon as possible and find a solution,
Best regards.
***
Never received outside from openbugbounty.org such an email like this.
We don't answer cause we are not sure, what he wants - money, attention?
Does anyone have an advice?
Greetings, sunny
Security Vulnerability Notification with email sender NOT from openbugsbounty.com
Re: Security Vulnerability Notification with email sender NOT from openbugsbounty.com
For this particular web vulnerability OBB doesn't accept SQL injection reports. However, this doesn't necessarily mean that this web vulnerability is not present...
Personally, I would want to know if my systems are affected by a SQL injection vulnerability (or any other type), so I would do everything in my power to get in touch with a person who supposedly found this vulnerability.
If I had a web application affected by a SQLi vuln and an independent researcher had reported it to me responsibly, rather than maliciously exploiting it, I would gladly accept to pay him with money and/or attention.
In any case, the issue is delicate and I would be very careful in communicating with an ethical hacker who contacts me.
Personally, I would want to know if my systems are affected by a SQL injection vulnerability (or any other type), so I would do everything in my power to get in touch with a person who supposedly found this vulnerability.
If I had a web application affected by a SQLi vuln and an independent researcher had reported it to me responsibly, rather than maliciously exploiting it, I would gladly accept to pay him with money and/or attention.
In any case, the issue is delicate and I would be very careful in communicating with an ethical hacker who contacts me.
Who is online
Users browsing this forum: No registered users and 2 guests