The Downside of Thanking Security Contributors
My startup is an popular event management platform within the Japan tech community. We’ve occasionally gotten reports about security issues, and although we’re a two-person company, we still take security seriously, so we decided to create security and responsible disclosure pages. As part of this, we created a section thanking people who had reported security issues to us.
The day after putting up the page, I got a mail “Reporting Stored XSS Vulnerability”. We’re using Ruby on Rails, which has built in functionality to mitigate these kind of attacks, so I was surprised to see such an issue being reported. However, I was able to verify it and fix the problem in the library that was causing it.
There was one thing that irked me at the end of his email:
P.S: If you would like to thank me, this is my paypal address: email@example.com
We hadn’t done anything to actively solicit people to find vulnerabilities in our site, so I found it a bit strange to have someone seeking compensation for it. I responded saying we don’t have any bounty program, but we would add him to the list of contributors. As I was curious why he decided to investigate our site, I asked him, but I didn’t hear anything back.
About a week later, I woke up to find six mails regarding security issues. Looking at our referrers, it seems someone added us to a list of bug bounties, where we were listed next to companies like eBay, Evernote, Fog Creek, and Foursquare. Generally speaking, I’d be happy to be in the same list as them, but in this case we simply don’t have the same resources to designate to bug hunters as them.
Most of those initial mails were regarding the X-Frame-Options header, that helps to combat clickjacking. At this stage, the likelihood that someone is going to target us with this kind of attack is pretty low, but nevertheless, I set it.
Two more people pointed out that we weren’t doing anything to prevent brute forcing of account login. Indeed we weren’t, and this was probably the most serious reported vulnerability. We implemented locking for accounts after many consecutive login attempts.
The last was that our nginx version had a security vulnerability in it. Indeed it did, although I don’t think we were using it in such a way that we would have been susceptible to it. Of course, we still did the upgrade.
Rather than by the issues themselves, I felt overwhelmed by the reporters. What’s the etiquette in this case? If multiple people report the same vulnerability, am I supposed to add them all to our list of security contributors? How about if they report something like the nginx issue, where it is a potential issue, but there is no reason to believe we would actually be subject to it?
Since that initial burst, we’ve continued to receive at least a couple of mails a day. After we asked them to, the bug bounty site removed us, but the reports continue. Furthermore, all the reports are about non issues. For instance,
- A user could create a link to another site that has malicious content. We are intentionally allowing a subset of HTML.
- A cookie is not marked as HTTP Only. We only use the cookie to store the users preferred locale.
- Our site can be DOSed by automating the submission of a form.
Not only are they reporting trivial issues, but they also aren’t testing our site in a respectful fashion, by doing stuff like signing up to real events with fake profiles.
At this point, I regret adding the contributors page. What was meant as a way to thank the people who helped us is now being treated as an open invitation to try to hack our site. If they were reporting serious issues it would be one thing, but I don’t want to spend time confirming every issue is actually a non issue. If I remove the list of contributors, will they stop? Or is the genie out the bottle now and I’m doomed to keep having to deal with these people?