Responsible Disclosure Challenges: A Bug Hunter’s Experience with OLX India

By /

Listen to this Post

Joel I. Patrick, an Offensive Security Analyst, reported two critical vulnerabilities to OLX India’s security team but received no acknowledgment or response. Despite repeated follow-ups, the issues were silently patched without credit. Undeterred, he reported another vulnerability, only to face the same outcome. His story highlights the challenges security researchers face in gaining recognition for their efforts.

Read the full write-up here: https://lnkd.in/gwrAS9Ps

You Should Know: Essential Bug Bounty and Security Research Practices

1. Responsible Disclosure Workflow

  • Identify the Vulnerability: Use tools like Burp Suite, OWASP ZAP, or Nuclei to detect flaws.
  • Document the PoC: Record steps to reproduce the issue with screenshots or videos.
  • Contact the Vendor: Locate the security contact via `security.txt` (e.g., /.well-known/security.txt) or WHOIS lookup.
  • Follow Up Politely: If ignored, escalate via CERT-In (India) or platforms like HackerOne.

2. Verify Patches Silently

After reporting, retest using:

curl -X GET "https://target.com/vulnerable_endpoint" -H "Authorization: Bearer TOKEN"

Or automate with Python:

import requests 
response = requests.get("https://target.com/api/endpoint") 
if "vulnerable_keyword" not in response.text: 
print("Patched!")

3. Protect Yourself Legally

  • Avoid Unauthorized Testing: Stick to public bug bounty programs.
  • Use Legal Agreements: Submit reports under platforms with clear terms (e.g., Bugcrowd).

4. Linux Commands for Security Researchers

  • Network Analysis:
    nmap -sV --script vuln target.com 
tcpdump -i eth0 'port 443' -w traffic.pcap
  • API Testing:
    ffuf -u https://target.com/FUZZ -w wordlist.txt -H "Authorization: Bearer TOKEN"

5. Windows Commands for Recon

nslookup target.com 
certutil -urlcache -split -f http://target.com/file.exe

What Undercode Say

Silent patching without credit demotivates researchers, but persistence is key. Always:
– Document Everything: Use tools like `jekyll` for write-ups.
– Leverage Automation: Script retests with `cron` jobs.
– Engage the Community: Share findings (anonymously if needed) to pressure vendors.

Expected Output:

A well-documented report, retest confirmation, and community-backed escalation if ignored.

Note: Telegram/WhatsApp URLs and non-IT content were removed.

References:

Reported By: Joel I – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: