Sites operators should reward responsible disclosure, not get researchers into trouble. Bug bounties are a good way to do that. Unfortunately, there are still people out there who don't understand their true value.
You run a high profile website. Going through your logs you see someone used a blind SQL injection vulnerability to enumerate the data tables and exfiltrate a few hundreds rows from some of the tables.
Is this person a just "friendly" pentester who "did you a favor" by finding a problem and just hasn't gotten around to telling you about it yet? Or was this an attacker who found a hole into your organization and is either hacking you further, selling the knowledge about your site's vulnerability to others, or monetizing this information in some other way?
You have no way to know. All you know is someone committed a crime.
What you say have seriously nothing to do with what the previous comment say. In fact it's an argument for what he say.
If someone disclose you a security hole, you reward him.
2 reasons why:
- You now know what's the issue and that there's one. He may have sold the whole private data of your organization to some other guy, but that's a constant in your situation. The only difference is knowing the source of the hole. If it help getting disclosure, even if it's from a black hat and he did committed something unethical, he still gave you something to fix.
- It give white hat a way to find hole in your security. Without that, they have no incentive to work on it. Again I will work on constant, black hat are a constant in the situation, either way they will try it, but without a bug bounty, you will only have black hat.
So what knowing if it's a black hat or a white hat change to you? Nothing, you still should have a bug bounty that reward disclosure because that's the only way to increase your odds of fixing theses security holes (the only thing that matter the most, whatever happens).
(I'm not saying not doing anything though if you see a SQL injection in your log, you fix it either way)
I'm describing how it looks from the other side. I have no way of knowing if you are "good". I have no way of knowing anything other than someone used an automated attack tool against my property. This is why exploiting SQL injection you find on some random site is dangerous, Even if you have the best intentions
To continue your analogy, 1000 other potential robbers are trying to get in every day, you are virtually always on holiday or otherwise outside the house, and the window was voice-activated. The intruder said a well-known special phrase which caused it to open. The expectation is that you've checked the windows, door, lock, and any other potential openings yourself to make sure they can't be entered like that. So yes, I'd say the person who doesn't take the valuables and run is doing you a huge favor.
Agree, I think it is more that you left the door unlocked when you meant for it to be locked and the mailman opened the door to yell "Hello??" but no one was home, so he let you know the door is unlocked. :)
> Didn't you realise that I could smash your window and climb in?
I did realize, which is why I don't keep your private information in there. They are in a safe hided somewhere.
That website clearly didn't realize that they had a window right there. Thanks to this guy, they now replaced it by a wall.
You accept the risk of that window, the people that goes into your house or do stuff in your house accept that risk while being near that window because they know the risk. On a website, you deal with other people stuff, not only there's an expectation of security, you won't have the luxury of knowing where's there's a window like that.
As someone just starting out - Is there a decent alternative to cash bug bounties for the penniless webmaster? I could probably afford to chuck someone a tenner or so if they helped out but to be honest that sounds a bit pitiful of a bounty
Basically I'd like to say "Hey, we wont sue you if you report security problems" but I feel that due to other available bug bounties with wealthier pockets out there I'd just look like a cheap SOB rather than managing to make the original point of not suing for responsible disclosure
Is this person a just "friendly" pentester who "did you a favor" by finding a problem and just hasn't gotten around to telling you about it yet? Or was this an attacker who found a hole into your organization and is either hacking you further, selling the knowledge about your site's vulnerability to others, or monetizing this information in some other way?
You have no way to know. All you know is someone committed a crime.