How to report a vulnerability and not go to jail
This article is more like something to think about rather than technical guide. It contains my thoughts with which you do not necessarily agree, but I will be happy to hear your opinion, maybe I will be able to improve my approach on the subject.
The topic may seem simple in general. You find a bug, a hole, a vulnerability. You report it to the owner of the service, application or website. The owner fixes the detected error or reports it to the department or company handling the service. In response, they send thanks, sometimes a reward in the form of company gadgets or gift cards, or cash prizes. After all, compared to the trouble that they could get into by exploiting the vulnerability by a person with bad intentions, e.g. a dangerous hacker, they are incomparably greater than, for example, a prize of 500 bucks to guy who spend his free time to make someone’s else service more secure.
Sounds like a process in a perfect world. But now real world scenario looks like this: in fact, you’ve found a vulnerability where you shouldn’t be looking. You have the police in front of your house with an arrest record because the company reported, that you were rummaging through their infrastructure without their permission.
It is not important that you report the bug in good will and the process of finding it did not disrupt the operation of the company’s infrastructure. You are “mister bad hacker“ and you will go to jail for it.
Why am I writing about this? Because many times I’ve heard someone reporting something instead of being a hero became a villain. And also when I find something, instead of reporting it right away, I wonder how to do it, so as not to cause myself any problems. I shouldn’t have to wonder, I should report the problem as soon as possible without any worries or unpleasant consequences. The law and the realities are different, however.
Some introduction remarks
For people outside the industry, hacker has a bad connotation. They do not distinguish between concepts such as ethical hacker, white hat, gray hat, black hat, red team, blue team, security researcher. Hacker is a hacker, and it is always a bad guy. I feel aggrieved :(
The law is constantly changing and adapting, but technology and everything related to it is developing faster.
In technologically advanced countries, it is easier to find lawyers specializing in cybersecurity law and technology in general. But I don’t consider it a rule. However, in my career, I have hardly ever met lawyers or legal entities who were familiar with new technologies, blockchain, cryptocurrencies, penetration tests, etc. (in big corporations it is always easier for that kind of lawyers). If they do not know technology and do not understand how it works, and there is nothing in the law about it, how to protect human resources against possible misunderstanding by law enforcement or judiciary. Of course, we have experts for this. But the tech experts don’t come up with a verdict as to whether someone is guilty or not.
If there are no clear regulations, intentions count.
Outside big companies listed on bug bounty programs It is hard to get a company that does not consider the reported problem a problem to act.
In my opinion, and many cybersecurity experts, it is better to participate in the bug bounty program and allocate a small budget for rewards than to lose credibility, customers or data by hacking. In the end, the brand will suffer anyway. However, it is difficult to estimate the losses that the company may incur. Managers like bars and charts. If we know that when a device or website stops working and we show losses in millions, the budget for the security department will immediately be found. If the matter is more complicated, you have to be well prepared if you are fighting for the budget.
Sometimes I explain myself some cybersecurity things as other real life scenario related to physical security. Maybe it is something similar to riding a car on the neighborhood and watch which windows and doors are open in the area. Until you not get into the house, using open doors/windows and take something you are not a thief. And the house owner should be happy that you inform him about it. Many times when I see forgotten keys in the door of my neighbor, I knock the door, and when the old lady opens the door I am pointing at her keys in the lock and I say: “*you should be more carefull”. She is scarred, but thanks me a lot and always say, “thanks god that was you and not some bad guy“. Of course, she might as well start screaming and call the police, but I think I could explain myself. Besides, I prefer not to touch anything. A neighbor might feel uncomfortable if I gave her the keys from my hand. Did I take out the keys and hand it over immediately, or did I take it out an hour ago, made copies and just handed it back. What if she opened at the moment I took the keys out of the lock? How she can believe me that the key was all the time in the door lock?
How to report findings
First of all, it’s best to use bug bounty programs and look for bugs for companies that agree to this search. We have clearly defined requirements and the scope of the search there. Sometimes there is such information on the company’s official website and companies have their own programs, not participating in some organized platform. When we have doubts and there is a suspicion of a vulnerability, we can write to the company asking them how to report a problem with the service and see how they will react and whether they will respond at all. I know from experience that when companies reply quickly and specifically, it means that they are interested in cooperation. (Check my other article, if you are interested in how to start your journey with ethical hacking).
Here is the list of popular bounty programs:
HackerOne - https://hackerone.com/
Intigriti - https://www.intigriti.com/
Zerocopter - https://www.zerocopter.com/
BugCrowd - https://bugcrowd.com/
Open Bug Bounty - https://www.openbugbounty.org/
YesWeHack - https://www.yeswehack.com/
SafeHats - https://safehats.com/
and here you can find list of bug bounty programs:
Quite good right? Big companies, official ranges, big and small rewards, science and security at the same time. So what’s the big deal. Everything works perfectly as long as it is officially reported to companies that are waiting with open arms for people like you. The stairs start when you start looking for bugs where they don’t want you. You might ask, but why look elsewhere? If companies do not want to, and have bugs in them, let them die. Kill it with fire, right? Who knows, maybe, but what if you are a customer of such a company? I do not know how it looks like in other countries, but in mine, which seems to be a modern and European one, many institutions, especially state-owned ones, are one big mess when it comes to security.
State-owned companies generally do not have a cybersecurity budget. Everything works a miracle and the repairs involve the use of a large amount of tape and assembly straps, or possibly dismissing someone from a lower level so as not to lose a job. You can always hire a neighbor’s son, because he recently reinstalled Windows well on your wife private laptop. There is a lot of irony and sarcasm in the same time here, but sadly from my own experience I know it sometimes looks like that.
No matter, small companies, state-owned, startups or large corporations on a national scale, not everyone is happy when a problem is reported to them. Let’s get an example.
A year or two ago, I found a security problem in the public transport card system. I cannot describe the technical details yet because the matter is endless. I can only say that I found the bug only because I am a public transport user in my region (or better to say I was, because thanks to the fact that I am a great cyber security expert, I drive a super luxurious and comfortable car - science pays off - poor joke). Once the case will be closed I will write about it. Anyway, it was possible to easily generate possible logins and passwords and perform bruteforce attack. Sometimes it happens that you use something and an error pops up or something tells you that someone designed it wrong. It was the same in this case. To prove it, however, I had to prepare a proof of concept. To do this, I had to do something that is considered illegal, i.e. hack into user accounts. Or rather, gain unauthorized access to their accounts. I prepared my test environment (more on that in a moment), but before I did it, I was looking for information on the company’s website, whether they have a bug bounty program or whether they are on one of the platforms. I found nothing. And knowing the realities of the country where I live and the fact that I find a problem in a company that has security straight from the Middle Ages, I knew that I should not report it myself. By reporting it myself, I would certainly have more problems and the error would probably not be fixed. It would be more important to find the “bad man” than to understand the problem he presented. “Focus on the problem not the person“ doesn’t work here. The guilty must be found and burnt at the stake to set an example, then no one will dare to mess with us anymore (damn man, everyone understand what is the problem - continue!).
To the point. There are two ways to report such a problem so as not to do it directly.
For example, via the OpenBugBounty portal. Where anyone can report a found bug, even in companies that do not participate in any program. An officially reported bug via this site can then be an example that you did it in good faith by acting professionally. The information will be verified and provided in a professional manner to the owners of the website/service by OpenBugBounty employees.
The second solution is to report a case through a popular general security company. Probably in each country, there will be a penetration testing, auditing, security training company that runs a security blog. The press (in this case the security press) has the good habit of not revealing the source of their information. I did so, the gentlemen from the company took over all the information along with the technical part and, concerned about the matter, reported the problem directly to the leaked company. I decided on this type of report because I knew that the problem reported by an English-language platform like OpenBugBounty, with additional technical aspects, may not be well understood due to the language barrier. In addition, fame and glory when the matter is mentioned on the pages of the blog read by all security experts in the country is a big temptation. After all, it is known that there will be no financial reward for it. In such cases, the only win is that the service will be secured and as its user you do not have to worry about the consequences in case the vulnerability is exploited by this bad hacker. I applied and forgot, because from a short exchange of messages I learned that, as you might have guessed - here I am quoting “this company is very hard to work with“.
Out of curiosity, from time to time I checked from the technical side to see if anything was improving and only after about half a year (sic!) I noticed that the logging system had been changed. User names have been changed, password length and complexity have been enforced, and security measures related to the number of incorrect login attempts have been added. In the end, I won. The company from the Middle Ages introduced security worthy of the 21st century. Hurrah!
How to prepare your environment
All in all, I decided to write this article because it is quite a difficult topic that every security research faces. I thought about it a while ago to share my insights, maybe it will help someone avoid unpleasant consequences or make it easier to start an adventure called bug bounty hunting. Additionally, one of the readers (greetings) asked me about my website bountyhunter.red. And we discussed for a moment by e-mail, exchanging observations, it was the moment when I thought ok, there will be no better time for an article on this topic.
So, the bountyhunter.red is nothing more than a VPS with landing page Informing that the IP address of this server is used by me to scan for vulnerabilities and actions in various bounty programs. On this VPS, a VPN server and various tools to automate the work of the pentester are installed (and soon I will add there some honeypots!). Why? Because you don’t want to do it from your home IP address (VPN/Proxy is good for your Kali machine). Your home IP can be quickly blocked or added to various filters, and negatively recognizable on the web. You may find that when browsing the internet from home you will be solving captcha more often than watching your favorite funny pictures of cats. I also noticed that many companies do not block bountyhunter.red IP address, just as they do not block addresses of public scanners such as Shodan or Censys, just to be able to receive a threat report in the future. Page with any explanation, credible or not is better information than just random IP. That’s just my way, of course. Working as an analyst on the first line of IT security, while analyzing suspicious IP addresses, I have often come to the fact that it is a Shodan server or alternative solution scanner, a university scanner, scientific research servers, traffic analyzers, bots, Tor exit servers. It is easier to understand and decide what to do when there is more details. I would personally block my address if it rummaged too much in my company’s infrastructure, but scanning ports itself is not a crime - sadly not in all countries (If you ever see a car with such a sticker above the registration plate, you may be following me).
It is definitely worth having a server from which you can run various types of automation so that the computer at home does not buzz all night and does not heat the room. Additionally, you gain a bit of anonymity in your activities. Some services can be accessed just from the IP located in the same country. For security reasons, also separate your home environment from the test one.
You can also use free VPN services like Proton VPN etc.
Always have good intentions. Always have a legitimate reason to perform your scan and always document your work.
Other interesting facts
Follow the link to the sources for more details. Are links in this section inspired me to write this article.
Several years ago, US Department of Justice Special Counsel Leonard Bailey gave advice at the Black Hat conference on how to stay out of trouble. The advice probably holds up well in lots of jurisdictions: “If you’re pinging a network, that’s not actionable. If you’re port-scanning, again, not a problem unless you’re doing it at a denial-of-service level. Beyond that, you may get questions.”
Stay away from port scanning critical infrastructure and government sites.
In the U.S., no federal law exists to ban port scanning.
Civil lawsuits – The owner of a scanned system can sue the person who performed the scan. Even if unsuccessful, the case can waste time and resources on legal costs. Though extremely rare, one IT consultant was arrested and sued after a port scan.
Complaints to ISP – The owner of a scanned system can report the scanner’s IP to the associated ISP. Many ISPs prohibit unauthorized port scanning. Some will take action – such as with reprimands or canceling of service.
The amount of risk associated with a port scan is largely based on whether it’s authorized. If you did not receive permission, then you’re at greater risk of backlash.
First, always get permission before scanning a system you do not own. The permission must be in writing and signed by both parties – the scanner and the system owner. Verbal permission is not always enough.
The written consent should be part of a scanning plan or a statement of work. This document can include the following:
Dates and times for scanning
IP ranges to be scanned
Names of systems and networks to be scanned
Scanning tools to be used
People conducting the scans
If a remote scan is planned, include the IP address of the scanning tool
Very interesting article (quote below is from there) about Hacking Is Not A Crime non-profit organization.
Alberto Daniel Hill: I have had an experience in my country in Uruguay where I reported a security problem in the system of a medical provider. I found it once. I reported it. I found it twice. I reported it. Then, the medical provider was hacked and I was accused of committing the crime, and I was sent to prison.
Basically, it was the incompetence of the media and police—they were unable to completely handle a case involving high-technology somehow. They couldn’t understand it. The media with the press releases painted an image of me as a hacker who was a cyber terrorist. They didn’t see me the hacker as a person, but said I used my knowledge of computers in order to commit crimes because of all the devices they found here. I was treated as a cyber terrorist in my country.
I loved computers since I was a child. I collected devices of all kinds since I was a kid and all hacking tools that were available to me, but they’re any tool that security researchers would have, in order to do research and understand how things work. It’s the curiosity of how things work. We are not bad guys who commit crimes. We are the curious good guys. Think of it like this. It’s like a bad guy using a gun to rob a bank, but a good guy like a cop uses the same gun to stop the crime. Same gun, but different purpose.
The most popular tool for scanning which is Nmap also have a section in documentation about Legal Issues.
And I love the sentence:
Hacking is a skill like lockpicking, hacking can be bad or good. Like lockpicking.
That was long right? I hope you didn’t fall asleep, because I did.