Vulnerability Reports

From a defense perspective, Information Security is tough to get right. Even when everything has been done correctly, vulnerabilities in software and hardware exist that you either have no knowledge of, or are unable to resolve for some reason.

In theory (and so far, in practice) nothing is ever 100% secure. A defender has limited time to find and fix every issue, whereas an attacker has unlimited time to find and exploit just one.

If I have found an issue with a system you are responsible for…

I have not done so maliciously and I don’t want anything for it (unless you participate in or otherwise offer a bug bounty of course!) with one exception: for the problem to be resolved. I may also like to write about it as per responsible disclosure, but if you do not wish for this to happen please tell me. I will always attempt to make contact first, several times, before publishing anything. Normally this will be at a minimum 90 days after first contact, though if the issue is judged to be very severe and I don’t hear anything back from you this 90 day delay may get reduced. I’ll let you know, though.

If you have found an issue on this site or something hosted on this server…

Want to dig about? Or have you happened across something interesting? The only rules are “don’t leak/share personal data” (including information about the issue) and “try to not take anything offline”, otherwise anything on the fyr.io domain (including any and all subdomains, except for the blackbox.fyr.io subdomain) is open. Note that this site is hosted on a shared VPS so try to not be too loud with any bruteforcing or automated scans. Ratelimiting is appreciated 🙂

Whether it’s full-blown RCE, minor information disclosure or something that I just haven’t bothered to update, feel free to get in touch and let me know! I can’t pay, but if you’re the first person to report the issue (as of 2022-09-15) I’ll add your name/alias/handle/etc along with any suitable links (social media profiles, personal sites, etc) to the Hall of Fame below. It’s not much, but it’s something 🙂

security@fyr.io (Please note: It can take me a while to get to these issues, sorry!)

Hall of Fame

These fine people have reported a valid, unfixed-at-the-time-of-report bug, vulnerability, misconfiguration or other technical issue on this site:

2022

Raju Basak
LinkedIn

Vinit Lakra x3
LinkedIn

Shaik Rehman
LinkedIn

Rupali Jain
LinkedIn

Mr!dul Vohra x2
LinkedIn

Ajay Kumar x2
LinkedIn
Twitter

Love Yadav
LinkedIn

Nikhil Rane x5
LinkedIn

Hemant kashyap
LinkedIn

Sachhit

Tharun
LinkedIn

Ritik Jangra
LinkedIn

sahil shailesh more
LinkedIn

Atharva Manoj Allewar
LinkedIn
Twitter

Yash kushwah
(@cyberyash951)
LinkedIn

G BHARATH KALYAN x2
LinkedIn

2021

Priti Navale x2
LinkedIn


We can’t fix every security issue out there, but if we can fix just one it makes everyone that little bit safer.

You can see any information security related posts I’ve already made by checking out the infosec tag.