HACKER Q&A
📣 throwA2457

How do I tell an Indie Dev about vulnerabilities that I exploited?


An Indie Developer sells his source code and a license to use it. His site is built on top of his product.

I watched a guide he created for getting started with his software. As he was demonstrating something I noticed a potential vulnerability. Out of curiosity I decided to try it out and see if it worked. And it did (I didn't expect it to). It allowed me to download the source that he was selling without having to pay.

Now it's probably at this point that I should have emailed him to tell him about the issue. Instead, I looked through the source and found a second vulnerability. This time, I didn't attempt to try it out on his site. But assuming that he uses the same code on his site, it means that anyone can purchase a license to use his source for any price they choose. Granted, if someone did this, he would probably notice that they didn't pay full price.

In short, I found two vulnerabilities on an Indie Dev's site that allows anyone to download his product, and pay any amount for a license.

How do I tell this Indie Dev about the vulnerabilities? I'm concerned that telling him I exploited a vulnerability (out of curiosity, not malice), and then found another makes me look like a black-hat.

  👤 austincheney Accepted Answer ✓
Just inform the developer outright. No need for secrecy. You are doing them a considerable favor. Tell the developer you will publish these vulnerabilities to the public in 3 months.

https://en.m.wikipedia.org/wiki/Responsible_disclosure

So long as you are not asking for any kind of compensation you are in the right. The moment there is a question of compensation the subject changes from responsible disclosure to extortion.

👤 bruce511
I'll answer from the other side of the fence. I'm a semi-indi-developer. I mostly make software tools, almost all of which is distributed as source code. (it's not open source, but licensees get it as source code)

I get bug reports all the time. Some come with suggested fixes. Some discuss vulnerabilities. All are accepted with appreciation. All people I correspond with use their real names.

I don't have a bug bounty program, but folk who are helpful get discounts, and in some cases free licenses to other bits.

Of course YMMV. But if it was me I'd just email them the info.

👤 Foober223
There's a saying:

No good deed goes unpunished.

What's right for your personal morals may conflict with the law. I'm sure most developers would appreciate the report. But some people misunderstand things. Are unreasonable. Or psychopaths.

If you want to send a report there is absolutely a need for secrecy. It may already be too late for perfect secrecy as all your actions on the internet are logged, so it's possible for the US government to determine that you were the one who downloaded source code. Unless you always use things like encryption and tor.

👤 seanwilson
> In short, I found two vulnerabilities on an Indie Dev's site that allows anyone to download his product, and pay any amount for a license.

Would anyone really be brazen enough to obtain a license this way and expect legal protection?

👤 mettamage
I'll go for some low hanging fruit here.

Anonymous email, VPN and tell him. Demonstrate it, explain it and don't claim the glory.

Disclaimer: I'm not a security expert so I've never done responsible disclosure.

👤 codegeek
I would just email in good faith but dont ask for any compensation unless they have a bug bounty program which is unlikely for indie dev. I m sure they would appreciate it.