undefined | Better HN

0 pointsdaguava10y ago0 comments

While I am kind of a jerk, I haven't made a vulnerability of it yet, just an info leak that may help someone here complete the puzzle.

0 comments

colechristensen10y ago

If this was an essential security library instead of a fun website, this would have been an incredibly irresponsible disclosures.

Bug bounty programs searching for security vulnerabilities rarely need completed proof of concept exploits – crashes are enough. You've laid down all of the pieces for someone competent to potentially do some real damage without much work at all, and that's exactly why the request was made not to disclose any further vulnerabilities.

GFK_of_xmaspast10y ago

The whole point of Project Euler is you're not supposed to give hints.

daguavaOP10y ago

The attackers didn't give hints either :(

rnovak10y ago

I think you're confusing "exploit" and vulnerability. An info leak is a vulnerability. Period.

And yes. You completely went around their request, and made this info public without their consent.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.

IANAL, but you also violated their ToS by doing this, and if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.

ChristianBundy10y ago

> if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

branchless10y ago

Good grief, Americans and threatening to sue anything that moves.

1 more reply

rnovak10y ago

Excuse me? You want to be able to launch an attack, unprovoked, against a server you don't own, without permission, and you want the owner to be cool with that?

You want the owner to be cool with you disrupting business, causing untold financial damage?

PEOPLE like you are the reason that relationship is strained, and the reason the CFAA was written in the first place.

So please do keep "pen-testing" sites you down own without anyones permission, I'm sure you'll end up with a great life that way.

gregmolnar10y ago

100% agree!

daguavaOP10y ago

All of this info (sans the HTTP 300 issues) is accessible via means which have been specifically GIVEN to users on the statistics and profile page. All I've done is point out combining these lovingly provided sets of information may have a role in what has happened.

j / k navigate · click thread line to collapse

0 comments

colechristensen10y ago

If this was an essential security library instead of a fun website, this would have been an incredibly irresponsible disclosures.

GFK_of_xmaspast10y ago

The whole point of Project Euler is you're not supposed to give hints.

daguavaOP10y ago

The attackers didn't give hints either :(

rnovak10y ago

I think you're confusing "exploit" and vulnerability. An info leak is a vulnerability. Period.

And yes. You completely went around their request, and made this info public without their consent.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

There's a SPECIFIC reason it's considered common courtesy to wait until a vulnerability is patched before public disclosure.

ChristianBundy10y ago

> if you did this to a site I owned, especially without my consent, I'd be very motivated to contact the proper authorities and pursue civil remedies.

Actions like this are THE reason the relationship between vendors and security researchers is strained.

branchless10y ago

Good grief, Americans and threatening to sue anything that moves.

1 more reply

rnovak10y ago

Excuse me? You want to be able to launch an attack, unprovoked, against a server you don't own, without permission, and you want the owner to be cool with that?

You want the owner to be cool with you disrupting business, causing untold financial damage?

PEOPLE like you are the reason that relationship is strained, and the reason the CFAA was written in the first place.

So please do keep "pen-testing" sites you down own without anyones permission, I'm sure you'll end up with a great life that way.

gregmolnar10y ago

100% agree!

daguavaOP10y ago

j / k navigate · click thread line to collapse