On Fri, Jan 15, 2016 at 5:46 AM, Richard Hipp <d...@sqlite.org> wrote: > > I received email alerting me to the following: > https://www.xssposed.org/incidents/124372/ > > My assessment is that this is a scam or shakedown: "Nice website you > have there. Send us money if you want to know about a vulnerability. > If you don't, we'll tell a bunch of script kiddies how to break it." > > But perhaps I am misjudging the situation. Anybody else have any thoughts?
My thought is that the extortion email may be completely unrelated to xssposed.org or "thedawgyg" (the "researcher" who found the "problem"). Scam / shakedown artists look for sources of information like this and generate emails trying to scare people into paying. Presumably the email wants you to send a bitcoin to some untraceable location. I'd try going through the website to contact "thedawgyg" (a name which instills confidence, to be sure) and see what you can come up with. If legitimate info is shared, you can decide what to do at that point. If it does wind up being scam / shakedown, their FAQ says: What shall one do if he/she is blackmailed by a researcher? Please contact us immediately and we will remove the submission. Don't ask for any logs however - we just don't have. And the link to the contact form is: https://www.xssposed.org/about/contacts/ Perhaps they'd even be willing to share with you, at that point, the information they've supposedly "confirmed". I do find it suspect that a legitimate security researcher would store up so many security issues to report at one time, but not being a security researcher I might just not understand how these things work. In any case, xssposed.com claims to be there to facilitate compensation to security researchers who reveal information. So give him a chance through the site to reveal. -- Scott Robison
_______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev
