Support » Fixing WordPress » OpenBugBounty Security Vulnerability Notification

  • hello,

    Do you know if these emails that are sent by no-reply@openbugbounty.org are serious ?

    All my plugins are updated and I do not have any problem, but I receive these emails.

    What would you do ? Who is OpenBugBounty ?

    Thank you for your help.

Viewing 15 replies - 1 through 15 (of 15 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    https://en.wikipedia.org/wiki/Open_Bug_Bounty

    They are not related to WordPress.org anyhow.

    Thread Starter celsta

    (@celsta)

    yes but it concerns wordpress websites with all security enabled and all updated plugins

    what would you do ?

    thank you.

    Moderator Yui

    (@fierevere)

    ゆい

    If you have not subscribed to their scans, you can ignore them, since those mails are unsolicited.
    To be sure about your site safety you can use other scanners.
    Having all the stuff updated to recent versions is a good warranty for your site to do not have any known vulnerabilities.

    mat8iou

    (@mat8iou)

    Interesting – I was wondering the same thing, having just received the email from them.

    It’s not particularly helpful that the technical details of the vulnerability are not available when you go to the linked page.

    TBH, I can’t recall if I ever signed up to their site or not – or whether they are getting me email from the Domain registration or elsewhere. If I did sign up with them it was a long long time ago.

    @mat8iou I’ve just received an unsolicited one from them as well, they claim to take it from domain registration data. The claim came from someone named Cyber_india.

    I’m fully up to date and I run Wordfence free. Even trying to run some tests on how secure the site was, I was immediately blacklisted by my server.

    I think they are a legit organisation, but these methods are rather underhand to contact the webmaster rather than chase up vulnerability in WordPress code or specific plugins and themes who are more likely to be able to do something about it than the average WordPress user ( I count myself in that group!)

    Chris

    (@bundfegadmin)

    @mat8iou They write to webmaster@, admin@ and some other administrative addresses @your-domain. So you never had to subscribe. I have got some mails from them (all findings by cyber_india) and since all sites are up-to-date, have wordfence running and there are no findings from scans (I checked via detectify com and immuniweb com) I just wait for the three months to pass by and am curious, wheter the result will be interesting.

    Really look like a scam.
    When I am late to update some websites, they send their BS email.
    But late is just few weeks, I never update after months.
    They really have nowhere else to send their stupid bots ?!

    Also, I find questionable that they post publicly on their website that your website is vulnerable.

    Anything that we can do to stop them ? Do they always use the same IP ? I want to stop them from scanning my websites.

    Thank you.

    • This reply was modified 3 months, 1 week ago by cacabe.

    I also got one of these emails for one of my sites and looked at the “security researcher” that found the vulnarability: He has somehow found hundreds and hundreds of vulnarabilities in websites today. Wonder how he did that. Must have been lots and lots of work *sarcasm sign*. The sites also seem to be pretty much in alphabetical order.

    And you are supposed to write the “researcher” so they can tell you what the problem is. It’s probably no coincidence that they also explain how to pay them via PayPal …

    In other words: Even if the platform itself is legit (and I am not convinced it is), there are people who find a vulnarability in WordPress or a WordPress plugin and instead of disclosing this to WordPress or the author of the plugin, they use this platform to automatically send these emails to all sites they can find with the same setup. And then they hope people will give them money.

    I think that this is a WordPress problem, because many WordPress users will receive these emails and feel that their site is insecure. If WordPress thinks longterm, this is very problematic.

    Just had the same emails (about 20) for one of my sites, I was suspicious of the email anyway but, this thread has assured me that I have taken the right action. Thanks

    So we should just ignore ?
    is there any way to ask them to remove the public page informing hackers that our websites are vulnerable ?
    is there any law that can help to stop them crawling us ?

    arberkastrioti

    (@arberkastrioti)

    I also received such an email yesterday.They are not interested in the safety of others, only how to get money.For me this is criminal. I have checked my site (which is relatively small) everything. Not thoughtful found. The goal of these criminals is to make fear. There are hundreds of websites tested daily by Cyber_India, and so you get to the money. Does anyone have experience? I will wait and do nothing. 

    cacabe

    (@cacabe)

    Yes I agree that they are a new kind of cyber criminals !

    WFSupport

    (@wfsupport)

    Saw this article on Twitter which might help explain it.
    https://www.infosecurity-magazine.com/news/experts-warn-of-beg-bounty

    Hope this helps.
    Tim

    Chris

    (@bundfegadmin)

    Hi all,

    I just looked into the reports (they become available after three months) (all are from ‘Cyber_India’ or ‘Cyber_World’).
    On one site it was a “info.php”, on two others the reachable “xmlrpc.php” from wordpress. So no hard security issues, I think.
    Chris

    cacabe

    (@cacabe)

    Could it be possible to ask them to remove details about our websites ?
    just listing websites and tell that they are vulnerable is criminal.

Viewing 15 replies - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.