I am a security member of a small company which recently got contacted by someone claiming to be a Hackenproof member.
They were reporting on our website being indexed by googlebot (metadata, thin page content, anchor text issues) and an XSS vulnerability.

We do not have any legal statement that I know of regarding VDP (vulnerability disclosure policy) yet.

My questions:

1. Basically how to proceed or even should we? (Are they legit?)


2. What is the common expectation from a white hacker?


3. How to validate the vulnerability?

To answer each of your questions:

1. Basically how to proceed or even should we?

I recommend proceeding. You will be able to acquire valuable information that can immediately be put towards improving the security of your company. You haven't told us what the researcher has sent you, but they will either have a description of the vulnerability or methods to reproduce it. To proceed you will need from them:

• A description/attack scenario of the vulnerability found. Why is this an issue, what specifically does the bug allow an attacker to do that they shouldn't be able to do, what is the worst case scenario/severity of the finding.




• Reproduction steps. What steps could you give any engineer and allow them to reproduce the bug every time.




• What the hacker is looking for in return. As mentioned it may be permission to publish the finding after fixing or money.




• You might also want or receive remediation advice, risk scores, etc. from the researcher.

VERY IMPORTANT: make it clear to the researcher that you expect them to keep the issue confidential until the issue is fixed. They may counter with a remediation window, e.g. they get to publish and article if the issue is not fixed within 60 days. This is common practice and should be acceptable to most companies with a strong security posture.

2. What is the common expectation from a white (hat) hacker?

Depends on the researcher, but they will likely want permission to publish the finding once it's been fixed as well as a monetary reward. Reward prices are based on overall severity and size of the bounty program. Hackerone, a large bug bounty platform, has a matrix that suggests payouts relative to size of the company/bounty program: https://www.hackerone.com/resources/bug-bounty-basics. Determining payout price is a subtle art - I recommend searching hackerone or other bug bounty platforms for similar bugs and basing your payout on what other companies are paying for the same issue.

Again - a common expectation researchers will have is that they get to publish the finding in a certain amount of time regardless of whether it's been fixed by then. 60 days is common, but I wouldn't agree to an amount of time if you're not confident your company can deliver in that window. After the issue is patched, the hacker may want to validate that the fix was implemented correctly.

3. How to validate?

Use the reproduction steps the hacker has given you. They should be clear enough that any engineer can follow the steps exactly and reproduce the bug. If there are any issues here you can go back to the researcher and get clarification. It is the researchers responsibility to supply the company with reproduction steps that outline and identify the bug.

Once the issue is fixed you can invite the researcher to validate the fix and ensure that it was patched completely.

Hackenproof appears to be a website anyone can sign up for, so saying you're a member of Hackproof is equivalent to saying you're a member of Facebook. This is not an exclusive hacker group.

There's no formalized standard way to proceed with such a situation, since your company, your business, the bug, and the white hat are all going to vary greatly. One size doesn't fit all.

In general, it's advisable to be cautious but curious. Be careful, but not paranoid and vindictive. Don't provide any internal information to the white hat, try to get as much information as possible upfront while revealing little or nothing. Many of these people like to talk to show their own expertise. Let them do so. There's little harm that can happen if the information only flows one way. Ask him/her for source code, or a detailed description of the problem. Then analyze the code/description and write your own exploit (and don't compile or run the white hats code), running it against a test instance, preferably as isolated as possible from any other environment.

As far as each parties responsibilities, Most people who claim to be white hat hackers these days will practice responsible disclosure and not release the bug to the world until it can be fixed. Your responsibility is to fix the bug (if it's severe enough) within a reasonable amount of time (several weeks, not years). If your company offers bounties, they should be paid if the bug meets the criteria. If not, the white hat should accept that they likely won't be paid, but you have to accept that they might release the bug to the general public if it's not fixed in a reasonable amount of time.

I don't know that there are any hard-and-fast rules here. Let's treat this as game-theory:

What the researcher wants

Usually:

• Public credit for the discovery, such as a CVE or a research paper.


• Sometimes money in the form of a bug bounty.

What you want

Usually:

• Not to be publicly humiliated.


• To improve the security of your product.

How to proceed

From a game-theory perspective, the win-win situation is for them to disclose the details to you, for you to fix it, and for them to get their public credit. You should set up a phone call with the researcher and ask for a demo -- you stand to gain a lot and stand to lose nothing. Be aware that before they're willing to show you the details, the researcher may want an NDA or some other legal contract ensuring that they get their credit at the end.

I might be worth noting they are likely pretty new to this too, there are plenty of 'pros' and if that's how you make a living, you likely have a process, but that normally involves some agreement with a company before you start the work. But even then it varies between companies and the sort of job.

This sounds to me like an enthusiast to me though. I really doubt there is anything to lose from talking to the guy. He may have unrealistic expectations but what do you lose?

Side note, sorry if this patronising, but I feel it must be said: It's at least conceivable this is intended to be a way in to you being 'had', "can we have a quick chat about some of the implementation details of your system" is something you should probably say 'no' to, even especially if they come offering a carrot.

To echo what someone said in a comment, it would be a fair thing to do to try and rule out a scam or extortion. Here's a few things to consider.

• Is there any mention of payment at all in response for information - even some kind of "administrative fee"? Assuming you have no pre-existing bug bounty, a legitimate researcher is not likely to ask for money - they want the bug fixed and the ability to get credit for finding it. Asking for money could be seen as an extortion attempt or at best unethical.




• Are the steps to reproduce vague enough that they could not help you reproduce them? Have your engineers investigate them early to know exactly what you have and verify that there is a vulnerability, even if minor. Are they being a little reluctant to give details even though you are following the normal practices? If no matter what you do, the vulnerability remains vague and unconfirmed, you may not be dealing with a legitimate report.




• Do they seem overly eager to know information about how your software works or even information about your company or business?




• If the person claims to represent some group, can you verify they actually do?

The normal way to proceed would be to assure the reporter that you are committed to fix the bug, give a time frame for shipping the fix (they may have already specified a time frame they want, but if that seems unreasonable, negotiate) after which they can publish. Or, see if you can ask for a grace period afterwards in case they re-test and find the vulnerability still exists in some form.

Giving money in reward is a bit of an ethical dilemma, on the one hand it is good to reward but on the other hand if you don't have a bug bounty it risks encouraging the practice of finding vulnerabilities and expecting payouts, which comes close to black hat behavior. Again, be wary if they brought up the issue of money first, even if you do intend to give some. But if you do, it would be better for all if you set up some sort of formal bug bounty program.