undefined | Better HN

0 pointsangersock14y ago0 comments

Provided that the he did so and made the change public, and the modification was not malicious?

Yes. I'd even send him a thank-you email, and add him to our list of contributors.

I'd then of course contact the customer (probably over phone, as quickly as possible), explain the vulnerability, explain what happened, and explain how we were fixing it. Then I'd write a post about it, and put it on the front of the site.

That's how you do business.

0 comments

grabastic14y ago

"Hey customer, someone hacked your page thanks to a vulnerability in my service, but don't worry... I've added him as a contributor to my project and sent him a thank you email."

Like that?

angersockOP14y ago

More like:

"Dear Grabastic,

Today we had a demonstration by a user (xxx) of a security vulnerability on our site.

${VULNERABILITY_EXPLANATION}

We believe that it is possible that your application or records are covered in the scope of the exploit, because of the fact that ${VULNERABILITY_APPLICATION}.

In order to fix this issue, we have ${VULNERABILITY_PATCH}.

We have thanked this user for their vigilance in spotting bugs and security weaknesses in our site, and they have been added to our contributors-security page here (link).

We have a stance that security is something that can only be improved by lots of inquisitive eyes, and so if you have seen any issues that concern you, please do not hesitate to inform us and/or demonstrate the vulnerability--provided, of course, you do so without breaking anything permanently. :)

Our service is better today than it was yesterday, and we hope that with the patience and openness of our users it will be still better tommorrow!

Sincerely, angersock "

See, not so hard!

grabastic14y ago

Not bad. You won me over. :)

nailer14y ago

What if the customer is panicing, because the message looked like:

+another showcase of rails apps vunlerability. 2 +Github pwned. again :( 3 +will you pay me for security audit?

It kinda sounds like you've succumbed to an extortion demand.

j / k navigate · click thread line to collapse

0 pointsangersock14y ago0 comments

Provided that the he did so and made the change public, and the modification was not malicious?

Yes. I'd even send him a thank-you email, and add him to our list of contributors.

That's how you do business.

0 comments

grabastic14y ago

"Hey customer, someone hacked your page thanks to a vulnerability in my service, but don't worry... I've added him as a contributor to my project and sent him a thank you email."

Like that?

angersockOP14y ago

More like:

"Dear Grabastic,

Today we had a demonstration by a user (xxx) of a security vulnerability on our site.

${VULNERABILITY_EXPLANATION}

We believe that it is possible that your application or records are covered in the scope of the exploit, because of the fact that ${VULNERABILITY_APPLICATION}.

In order to fix this issue, we have ${VULNERABILITY_PATCH}.

We have thanked this user for their vigilance in spotting bugs and security weaknesses in our site, and they have been added to our contributors-security page here (link).

Our service is better today than it was yesterday, and we hope that with the patience and openness of our users it will be still better tommorrow!

Sincerely, angersock "

See, not so hard!

grabastic14y ago

Not bad. You won me over. :)

nailer14y ago

What if the customer is panicing, because the message looked like:

+another showcase of rails apps vunlerability. 2 +Github pwned. again :( 3 +will you pay me for security audit?

It kinda sounds like you've succumbed to an extortion demand.

j / k navigate · click thread line to collapse