Verifying order requirements

[martinhellsing]

Hi!



I’m new here at Fiverr and have this gig where I perform a security audit by trying to hack Wordpress websites to locate vulnerabilities. I perform a simple pentest basically.



I have sold many security audits over the years but never on a marketplace like Fiverr. One of the problems I have faced so far is trying to verify that the order is actually carried out by the website owner. It would be very easy for somebody to order my gig, wait a couple of days and then get a detailed PDF explaining how to gain access to the website by just sending the URL to a friends website or even a competitor.



So far I have been using the order “instructions field” where I ask the customer to verify that he is the website owner by uploading a empty HTML or TXT file to their website with the same name as their Fiverr order no, and then send me the URL. That should not be too much of a problem, right? If you are a website owner you should be able to at least upload a simple file.



Anyway, my problem is that lately many customers have been ignoring to verify that they are website owners and are just sending me the website URL. And as soon as they submit anything to my instructions the clock starts ticking.



Is there any way to verify what the customer is submitting? Is the instructions to complicated? I don’t want to loose time waiting for the correct information and I certainly don’t want to hack the customers competitors websites.

[guruofbacklinks]

I may be a little off-base here, but perhaps you could ask for login details for their GWMT or Bing WMT or their analytics account or something like that which would also prove their ownership of the site. Uploading an empty .txt or .html file isn’t necessarily a hard thing to do if you know what you’re doing. However, if it’s the kind of website owner that has to depend on a separate web developer / webmaster to implement something for them, that could cause the problem. Not every website owner manages their own site, but I’d think all of them would know how to access their own WMT or analytics accounts. Could that maybe work for you?

[martinhellsing]

I don’t want anyones user credentials to anything. It can be scary enough to ask some random dude to perform a security audit without sending over their usernames and password to stuff.



The easiest way would be to ask them to send an email using an account on the same domain as the website, but that probably interfers with Fiverr regulations since you are not suposed to communicate outside Fiverr.



I think people capable of using Wordpress can upload a file. That’s not really the big issue. What troubles me is that they can type in “blah” in the instructions box and my clock will start ticking.



Essentially I could be done with the security audit ahead of time but can’t deliver due to the fact that the customer haven’t verified themselves yet.

[guruofbacklinks]

I can understand that. Not sure what to recommend then. It’s one thing to wait on information from a buyer to get started, but it’s another thing completely to wait on a buyer to complete a task. The only thing I can suggest is increasing your delivery time a bit in order to give your buyers time to properly verify the site they’re looking to receive an audit on. Last I saw your lead time was at 3 days right? Can’t see why they’d need more time than that to either verify themselves or have their webmaster do it for them. Hope you get it worked out.

[organic_gary]

Hmm, what about asking them to add a link you provide to their blogroll? It doesn’t have to go anywhere if you don’t want it to, but it would verify their internal access to that blog and would be easy for them to do (maybe a link back to the order or something specific). You could also provide a short instruction if they’ve never done something like that before. I think I agree with one of the comments above that having them upload something is a bit complex. In reality, the people who couldn’t manage to upload something are probably the people who need your services the most. As to them ordering anyway, lead time and constant communication are probably your only defense.