Who are you?

A short self-introduction can be found on the team site.

Short answer: I am a computer science PhD candidate, who is interested in IT-security, with a passion for web security. In addition to that I consult companies in regards to IT-security or web security.

What do you do in detail?

We are looking for security issues in web applications. If we discover any, we report them to the webmaster, who will hopefully fix the issues and restore the safety.

What is your gain from this?

We don’t gain much, other than reducing the amount of security holes that can be exploited by cyber criminals. Naturally also the good feeling of having done something that helps the internet’s security. In some cases we get a financial reward for the responsible disclosure.

Do you demand money for the provided information?

No, that would neither comply with our guidelines nor our ideals. We do not want to press money, hence we’ll pass the information to the administrator free of charge and confidentionally. We are just as pleased about a simple “thank you” as we are about small donations.

How do companies react to your reports?

The reactions tend to differ greatly.

Most companies, however, are thankful to be informed by whistleblowers like us, before an actual incident happens. On the flipside, other firms never respond to our mails or react extremely rude, which is completely inexplicable, since we act with no malicious intent. Still, the security holes are being closed in these cases nontheless.

Extreme cases with no reaction whatsoever occur rather seldom. Should a company not listen to our advice, we try to contact them using higher instances (e.g. CERTs).

How long does it take for the companies to react?

That’s as different as the reactions. Sometimes the issue is fixed within less than 24 hours, other times it takes multiple months to completely verify and eliminate the vulnerabilities.

What is responsible disclosure?

In short, responsible disclosure means that we’re contacting the vendor confidentially and giving him time to fix the security issue before we’ll publish any information about it, no matter how long that may take.

In return they won’t take any legal steps against us, and sometimes they’re acknowledging us in their hall of fame. In our opinion that’s the best way to report security issues, everything else would be undiplomatic and irresponsible.

Why do you spend your free time on this project?

The internet is important to a lot people including ourselves. We think that it’s important to work on it as a community, so that it can stay a part of our day-to-day lives, where people can feel good and secure. To achieve this goal, we contribute to the internet’s overall security by responsible disclosing security issues.

Are you hackers?

The expression “Hacker” gained a negative reputation, mainly because of the media. We’d much rather call ourselves internet-affine and curious humans, with interests in IT- and web-security.

For us “hacking” means having a creative approach and having fun using technology to explore new, not designated usecases. Having said this, it comes with a portion of responsibility - that’s the reason why we would see us as ‘ethical’ hackers and act like that.

Can you hack XY (for me)?

No, except it’s a system or application developed or managed by you.

Why aren’t you writing more blogposts?

TL;DR: We prefer quality over quantity. When it comes to it security related research, time is usually an important factor if you want to have valid results. Furthermore we publish all blogposts in both German and English. We also have other projects that we work on as well as a normal life.

What are your plans for the future?

Our team is already happy to be partly shaping the future of the internet. Of course we plan to keep reporting security issues to the operators of the web applications we examine, in order to raise the security level of the internet. We also plan to explore other topics.

We are happy to get suggestions, questions or feedback. You can find our contact information on the contact page.