Need Guidance on Taking Over Website Development & Security Project

Discussion & Solutions
1

Hello Onehack members,

I’ve found myself in a situation where I’m unsure how to proceed and would really appreciate your guidance.

A couple of months ago, I discovered a severe vulnerability in an organization’s website that allowed full access and control. I responsibly reported it. Later, I found another issue where the entire website was affected by an SEO attack and reported that as well.

After that, the organization held a meeting with their current development and hosting vendor. The discussion was supposed to be constructive, but it turned heated, and the vendor even suggested that the organization switch vendors if they were not satisfied.

A few months later, I identified another critical issue in their mail server, which allowed me to take control of their email system. I reported this too. However, the vendor again refused to accept responsibility.

Now, the organization has approached me to take over their website development and deployment.

I’m trying to understand how to move forward safely and professionally. I have a few concerns:

  • What documents or agreements should I have in place before starting?

  • What potential pitfalls should I be aware of in this situation?

  • How can I protect myself legally and technically from future issues or liabilities?

  • What is the most efficient way to handle development and deployment, especially if they assign me 10+ projects?

At the moment, the organization itself is not very clear about requirements. They simply want “informative websites,” along with:

  • A CMS

  • WhatsApp chatbot integration

  • Full website redesign

I’ve also been given three possible options by their core team:

  1. Design and sell the design/code to the existing vendor (they handle hosting)

  2. Develop and host on their server, with intellectual property protection agreements

  3. Handle both development and deployment myself

I would really appreciate if you could share:

  • A practical roadmap for handling this kind of situation

  • Real-life experiences or lessons learned

  • Any advice on avoiding common mistakes and staying secure in the long run

Thanks in advance for your help!

In need of yours experiences….@SRZ and other too..

3 Likes