Please or to access all these features

Add post

Watch this thread

Save thread

Start a new thread

Flip thread

Hide thread

My feed

Active Unanswered threads

Getting started FAQ's

Unanswered threads Acronyms Talk guidelines

Hide shortcut buttons

Talk

AIBU?

Share your dilemmas and get honest opinions from other Mumsnetters.

Flip

1 2

Original poster

To think this email from an ethical hacker is blackmail?

37 replies

Insertfunnyname · 16/01/2021 11:54

I own a business and we had an email from someone out of the blue to say by the way I've been looking around your website and discovered that XYZ is insecure and someone could actually hack this part.

I forwarded it onto our web developers saying "not sure if this is true etc but here's an email I got" they replied a bit red faced and said actually that does seem to be a flaw in the coding or whatever and we've fixed it. So I replied to the annonymous email saying that is very kind to email, thanks. Are you an existing customer? I was going to offer them a voucher or something to use on the website.

They replied and said they're not a customer, they're an "ethical hacker" and now they'd like to be compensated for their time! (not in the form of a voucher for our website obviously but actual money)

To me, this seems like someone tapping your door saying "I noticed that your front door was a bit rotten and under the weather. I've painted it for you, and now here is my invoice" When you hadn't asked them to, and they made no contact before doing it. Surely 'tradesmen' should actually offer their services, not do it and then present a bill!

It feels almost like a thinly veiled threat that if we don't now pay them they might cause us damage, or try and hack the website and probably 99% of people get freaked out and pay them just so they go away. Not all that ethical.

I just don't like their way of going about all this... it stinks! And I guess we will probably pay. They haven't told us yet how much ££ they want.

OP posts:

sirfredfredgeorge · 16/01/2021 16:35

Oh, and it's been said that the BA breach that cost them hundreds of millions was known about earlier but the people who found out failed to manage to report it to them because they didn't have any mechanism to do it.

www.bbc.co.uk/news/business-48905907

The don't respond, don't do anything when people report security vulnerabilities to you is not a good idea - if you're not the right person in the organisation, send it to the right one and get a security.txt on so people will know how to report it in future.

BoomBoomsCousin · 16/01/2021 16:37

Blackmail would be saying “I’ve found this security flaw in your website and if you don’t pay me I’ll publish the info.”

What they have done is more akin to “shareware” which used to be a big thing in tech. Write a program, let people use it for free but ask them to send you money if they enjoyed it/got value from it.

They aren’t putting you in any harms way and they have done you a service (potentially a huge one, it’s not clear but if your web team are red faced about it sounds like it could have been a problem for you) by finding the flaw and pointing it out. Seeing them as malevolent when they’ve done nothing but help you so far is really defensive. They may have legitimately found it, they may have been chancing it with a lot of firms at once and just “got lucky” with your company. Neither means they’re out to harm you or blackmail you.

You don’t have to pay them. It might be good to talk with you web team About what the heads up was worth to your company and how much effort he would have had to put in v. how much of a chancer the guy was. While you’re at it may be get a better idea of what the issue was, why it was missed by them and what is needed in the future to stop such slips.

goodwinter · 16/01/2021 16:42

@sirfredfredgeorge

Well it’s not very ethical to expect compensation for something most do just to stop people being exploited

It's not very ethical to not bother securing your website and leaving your customers vulnerable? What's more, the company doing that is very probably acting illegally.

I would encourage the company to make their policy on this explicit - securitytxt.org/ - explains how, a bug bounty is not necessary, but it might be useful. When you consider Apple and Google etc. are spending millions per year on this knowing that they get very good return on that investment, it's really not a bad idea. Much better than the damage caused by someone who wants to exploit it.

I work in cybersecurity and agree with this.

goodwinter · 16/01/2021 16:44

@NoOneOwnsTheRainbow

I can't believe you replied to someone who broke into your website. Would you offer an "ethical burglar" a voucher for breaking into your premises and not stealing anything? Bizarre.

If your systems are insecure, you need to know about it. And count yourself lucky to have been found out by an ethical hacker (assuming it doesn't get threatening ofc) rather than someone with malicious motives.

sararh · 16/01/2021 16:57

OP, I work in IT.

They are not an 'ethical hacker', yes you are correct to interpretation it as a thinly veiled threat.

If they were asking for money to perform MORE testing, that would be different. They are asking you to pay for testing they've carried out without you asking, and are now asking for payment. Not on. It is (as an earlier post said and oddly got shut down) the same as saying "I noticed the zip on your bag was broken, and I took your phone out. Here it is. Can I have some money please". You'd wonder what else they'd taken.

If email back saying thank you, but you didn't contract them for the work and won't be paying. Honestly, you'd arguably be entering into a contract of employment with this dodgy anonymous person if you paid them.

sararh · 16/01/2021 16:59

Sorry for poor spelling/grammar - phone autocorrect

sararh · 16/01/2021 17:01

Also, you can tell this isn't the best forum to be asking on, because commenters are saying things like 'lucky it was an ethical hacker!' and basically completely agreeing they are an ethical hacker because that's what they've called themself. Hook line and sinker.

sararh · 16/01/2021 17:08

To be clear, OP, I'm not saying be rude to the guy. You can let him know how grateful your are, and you'd happily offer a discount on your services, but explain that you will not be reimbursing him financially as you do not want to accidentally enter into a contract as there may be implications.

Sittingonabench · 16/01/2021 17:12

I would offer them a job! Maybe once every 6 months for a check and recommendations. These skills are ever increasingly valuable

carlaCox · 16/01/2021 17:17

Hi OP, I'm a software developer. If I were you I would ignore the "ethical hacker" for now because you have a bigger issue on your hands. I.e. Why is there a security flaw in your website? This suggests you have shoddy software development going on and you need to have a serious word with the web developers. It's not good enough to say "oops sorry we've fixed it now". How do you know there aren't more issues yet to be discovered?

2bazookas · 16/01/2021 17:23

@Insertfunnyname

Well I guess the fear is that they might not have told us about ALL the vunerabilities so that they have leverage if the 'client' doesn't pay.

or what they might have installed while they were poking around in there.

CrazyToast · 16/01/2021 17:34

How is it blackmail if they told you the problems for free? You're not obliged to pay them anything, it would be a good will gesture as they just made your site more secure.

It's a definite thing, some people get big payouts for it. Usually a company will join a hacking site and invite hackers to try and get in.

Flip

1 2

Swipe left for the next trending thread