TL;DR
The best way to alert a website owner of a vulnerability is usually through their security policy (if they have one), or by contacting them directly via email. Be clear, concise, and avoid demanding payment.
1. Check for a Security Policy
- Look for a ‘Security’ page: Many websites have a dedicated page outlining how to report security issues. This is often found in the footer of the website or within their help/support section.
- Check the
robots.txtfile: Sometimes, contact information for security reports is included here. You can find this by visitinghttps://www.example.com/robots.txt(replace ‘example.com’ with the actual website address). - Look for a PGP key: If they want secure communication, they may publish a PGP public key on their security page. This allows you to encrypt your report.
2. Contacting the Website Owner Directly
- Find an email address: Look for ‘contact’, ‘info’, or ‘support’ emails on the website. Avoid using generic ‘webmaster@…’ addresses if possible, as these are often unmonitored.
- Craft a clear and concise email: Keep your message professional and to-the-point. Include the following:
- Subject Line: “Security Vulnerability Report – [Website Name]”
- Description of the vulnerability: Explain what you found in simple terms, avoiding technical jargon where possible.
- Steps to reproduce: Provide clear instructions on how they can verify the issue themselves.
- Potential impact: Briefly explain what could happen if the vulnerability is exploited.
- Your contact information: Include a way for them to reach you for further discussion.
- Disclosure timeline (optional): If you have a preferred timeframe for disclosure, state it politely. For example, “I would appreciate a response within 30 days.”
- Example Email:
Subject: Security Vulnerability Report - Example Website Dear [Website Owner/Security Team], I am writing to report a potential security vulnerability on your website, example.com. Description: The search functionality allows for cross-site scripting (XSS) attacks through unfiltered user input. Steps to Reproduce: 1. Visit https://www.example.com/search?q= 2. Observe that an alert box appears, demonstrating the execution of JavaScript code. Potential Impact: A malicious actor could inject harmful scripts into your website, potentially stealing user data or defacing the site. Please let me know if you require any further information. I can be reached at [email protected]. Sincerely, [Your Name]
3. What *Not* To Do
- Don’t demand payment: Asking for a bounty without prior agreement is generally frowned upon and can be illegal in some jurisdictions.
- Don’t publicly disclose the vulnerability before it’s fixed: This puts users at risk. Give the website owner reasonable time to address the issue.
- Don’t exploit the vulnerability further: Stop testing once you have confirmed its existence and can reproduce it reliably. Further exploitation could be considered illegal.
- Avoid overly technical language: Remember that the recipient may not be a security expert.
4. Responsible Disclosure
Responsible disclosure means giving the website owner a reasonable amount of time to fix the vulnerability before publicly revealing it. A typical timeframe is 90 days, but this can vary depending on the severity of the issue and their response.