If you’re looking for a lesson in how not to respond to bug reports, look no further than Budapest, where the city’s public transit system is getting savaged on Facebook for snitching on a security researcher who discovered a flaw in its online ticketing site.
Budapest’s public transit system, the Budapesti Közlekedési Központ (BKK), has been promising to roll out an e-ticketing system for years — but now the system is finally here, and its introduction has been a trainwreck.
An 18-year-old student discovered a basic security flaw in BKK’s e-ticketing site that let him modify the price of one ticket and purchase it at a much lower cost, Bleeping Computer reports. He switched his browser into developer mode — which you can do too with a quick right-click — and was able to alter the site’s source code. He reported the flaw within two minutes to BKK so it could be fixed, but BKK responded by reporting him to the police.
Since the man’s arrest, BKK’s Facebook page has been flooded with more than 46,000 one-star reviews from outraged users. Many of them are reposting a statement attributed to the young researcher, in which he says that he doesn’t live near Budapest and didn’t use the ticket he purchased, but simply reported the security issue to BKK within two minutes of discovering it.
In a statement, BKK said that it was standard procedure to report breaches of its systems but regretted that the report had negatively impacted a young student who acted “in good faith”.
White hat hackers can often get blowback from companies that aren’t used to dealing with them — some companies panic at the sight of a bug report. It’s not unheard of for a company to report a white hat to the police, but that usually happens when the hacker has been much more intrusive. Calling the cops over such an obvious vulnerability seems overblown — enough so that 46,000 people are writing Facebook reviews over it.
“It’s absurd, it makes me very upset actually,” said Adam Bacchus, chief bounty officer at the bug bounty company HackerOne. “Some organisations, as soon as they see anyone attempting security testing, will pick up the phone and call the police.”
But companies should be happy to hear from well-intentioned hackers reporting flaws, Bacchus says. The vulnerabilities exist either way, and companies should want to find out about them before the bad guys do. HackerOne will sometimes act as an intermediary and report vulnerabilities for hackers who want to stay anonymous.