TL;DR
A security researcher found a critical vulnerability in our app and emailed us before doing anything malicious. They gave us 7 days to fix it before disclosing. We fixed it in 3, thanked them publicly, and they became an informal advisor. Sometimes the "hackers" are the good guys looking out for you.
The Email
The subject line made my heart skip: "Security Vulnerability in Your Application."
I expected spam or a scam. Instead, I found a professionally written report:
"Hi, I'm a security researcher. While testing your application, I discovered a server-side request forgery (SSRF) vulnerability in your webhook integration. An attacker could use this to access your internal infrastructure. I have not exploited this beyond confirming its existence. I'm giving you 7 days to fix this before I disclose it publicly, per responsible disclosure practices."
Attached was a detailed write-up: steps to reproduce, potential impact, and suggested fixes.
The Vulnerability
Our webhook feature let users specify a URL for us to call when events happened. The problem: we didn't validate those URLs properly.
An attacker could provide a URL like http://169.254.169.254/ (AWS metadata service) or internal network addresses. Our server would make the request and return the response, essentially becoming a proxy for accessing things it shouldn't.
With this vulnerability, an attacker could potentially:
- Access AWS credentials from the metadata service
- Scan our internal network
- Access internal services not exposed to the internet
It was serious. Very serious.
Our Response
We took this seriously from minute one:
- Hour 1: Acknowledged receipt and thanked the researcher
- Hour 2: Verified the vulnerability was real
- Day 1: Implemented a fix (URL validation, blocking internal IPs)
- Day 2: Tested the fix thoroughly
- Day 3: Deployed and notified the researcher
We fixed it in 3 days, well before the 7-day deadline.
The outcome: No exploitation. No data breach. No customer impact. Just a vulnerability found and fixed before anyone could abuse it.
The Thank You
After deploying the fix, I sent the researcher a thank-you email. I asked if there was anything we could do in return.
Their response surprised me: "A public acknowledgment would be great. It helps my reputation as a researcher and shows other companies that responsible disclosure works."
We did better than that:
- Published a blog post thanking them by name
- Created a security.txt file with contact info for future reports
- Offered them 6 months of free service (they declined but appreciated the gesture)
- Added them to our security credits page
Why This Went Well
1. The Researcher Acted Responsibly
They didn't exploit the bug. They didn't sell it. They didn't publicly shame us. They gave us time and information to fix it.
2. We Responded Quickly and Professionally
No defensiveness. No denial. No weeks of silence. We acknowledged, verified, fixed, and thanked.
3. We Made It Easy to Report
Even though we didn't have a formal security contact at the time, our general email address was responsive. The researcher's email didn't get lost in spam.
The realization: Not everyone looking for vulnerabilities is malicious. Many are ethical researchers who want to help. How you respond determines whether they become allies or adversaries.
What We Changed
Security.txt File
We added a /.well-known/security.txt file with contact information, making it easy for researchers to know how to reach us.
Clear Response Process
We documented how to handle security reports: who gets notified, expected response times, and communication templates.
Public Acknowledgment Policy
We created a policy to publicly thank researchers who report vulnerabilities responsibly, with their permission.
Ongoing Relationship
The researcher who found our SSRF became an informal advisor. They've since flagged two more minor issues. We've built a relationship based on mutual respect.
What is responsible disclosure?
Responsible disclosure is when a security researcher reports a vulnerability to a company privately, gives them time to fix it, and only goes public after the fix is deployed (or a reasonable deadline passes).
How should I respond to a security researcher report?
Respond quickly, even just to acknowledge receipt. Thank them for the report. Verify the issue. Provide a timeline for fixing it. Keep them updated. Thank them publicly (with permission) after the fix.
Should I offer bug bounties?
Formal bug bounties work for larger companies but require resources to manage. For smaller companies, simple acknowledgments, swag, or free service can show appreciation without the overhead of a formal program.
What if a researcher is aggressive or unreasonable?
Most researchers are professional, but if someone is threatening or demanding unreasonable payments, document everything and consult legal counsel. Don't engage in hostility, but don't be extorted either.