10

Possible Duplicate:
How to disclose a security vulnerability in an ethical fashion?
Reporting vulnerable sites

I've found a security vulnerability which gives me the ability transfer money to my account.

What should I do now? Do I get payed by the company where I found the bug? Should I report that bug to them before they tell me how much they pay me for that bug or after?

Should I write to the Customer care or the Sales mail address of them? And what should I tell them anyway?

Am I allowed to share the existence of that bug without providing details?

The problem is that I'm a minor so I don't know anything about all this and I've also the fear that they don't believe me because of my age.

What I ended up doing: I just sent them a mail with the bug and didn't tell any adult about this at the time. The fixed the bug pretty fast and gave me a really small bounty worth around $200 at that time.

What I would do today: Now that I'm not a minor anymore (ohh my I've gotten old). I'd contact them through a penetration testing company or something similar and ask them if they'd be interested in us checking their system. Telling them that they wouldn't have to pay anything if we wouldn't find anything and disclose the bug through that. If they refuse, they usually don't if done right, I'd get in touch with them anonymously and disclose the bug.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
noob
  • 307
  • 1
  • 3
  • 11
  • 1
    I would recommend looking at http://security.stackexchange.com/q/807/618 and http://security.stackexchange.com/q/52/33 – Scott Pack Apr 14 '12 at 17:42
  • 3
    I'd guess that in most countries, it would be a very bad idea to either exploit such a bug or threaten to. Of course, there might be companies where you can get a “consulting fee” under such circumstances and it seems there is also a black market for this kind of information, but as with any black market, I personally would stay away from that; most people would consider just sending a (complimentary) description to the IT department the morally right thing to do – and if they don't fix it in half a year, send the description on bugtraq. – Christopher Creutzig Apr 14 '12 at 17:47
  • 3
    I rattled the doorknob and found the door was unlocked. Should I go in and take the valuable item I saw when the door opened a crack and notify my buddies I found an unlocked door? Or will I lock the door if possible and notify the owner? Moral dilemmas in a pass/fail situation. – Fiasco Labs Apr 14 '12 at 19:34

1 Answers1

20

It is unlikely that you can legally make money from this bug. If you are considering some scheme to make lots of money from it: step away, take some time off. There is a significant risk that you will be prosecuted for hacking or for extortion if you try to demand compensation for reporting the vulnerability.

Note that in the US, hacking is illegal. The law is extremely broad and prohibits all sorts of things that many people might not realize are illegal. I don't know how you discovered the bug, but I am worried there is a high risk that the actions you've taken up to now (e.g., to discover the bug) might be illegal. If your actions in discovering the bug violated the law, even arguably, and if you piss off the company or generally act like a jerk (e.g., by demanding compensation), they might call up a federal prosecutor and convince the prosecutor to charge you for violating federal law. You really don't want to be in that position.

In general, it is rare for companies to compensate people who report security bugs to them. A few companies (e.g., Google) have "bug bounties" programs, where they promise to pay a few hundred or thousand dollars to people who report serious bugs to them under their program. But most companies don't do anything like that.

Generally speaking, here is my advice:

  • Have you ever hacked, or tried to hack, this site? Did you try anything that could be characterized as unauthorized access or an attempt to attack the site? (e.g., typing in a single quote to see if it is vulnerable to SQL injection, sending < to see if is vulnerable to XSS, etc.) If yes, stop here. Don't disclose the vulnerability to them yourself. Give up any thoughts of making money. If you want to do the morally right thing, you could contact an adult you trust and ask them to report the vulnerability on your behalf without disclosing your identity -- but don't expect any payment.

  • If you are confident you have never done anything that could be characterized as attempting to gain unauthorized access or otherwise attack the site, and you are confident nothing you've done is likely to be treated as a violation of federal law (e.g., CFAA), then you could consider how to report the vulnerability to the site, if you wish. But don't expect to make any money off this. Don't demand compensation. Don't threaten. Don't ask for compensation as a condition of disclosing the bug. Don't expect compensation. If you are doing it in hopes of making money, stop: set it aside, because you don't want to be accused of extortion, and you have a lot more to lose than to gain.

    If you want to disclose the vulnerability, I would try to find someone you trust who has worked in a professional business context for many years. Ask them to help you disclose the vulnerability. Ask them to help you write a letter or email that describes the vulnerability. (I would disclose the vulnerability in writing, e.g., an email, a written letter, not by phone or in person.) Also, before doing any of this, have them read this thread and the following threads on this site:

    The reason I suggest having someone else help you disclose this is because there is a significant opportunity for misunderstanding. You want someone who has worked in business to help you craft the letter, to make sure it is taken seriously, and to make sure the company doesn't treat you as a threat and start coming after you with threats of a lawsuit or prosecution. Big companies have entire legal departments full of lawyers who exist solely to protect the company's financial interests. If they perceive you as a threat, they may use every legal resource they have to try to prevent you from embarrassing the company. Someone with more experience in a business context can help you protect yourself.

But, the bottom line is: check your motives. The only reason to report the vulnerability to the company is because "it is the right thing to do" and for the good of others. You are not likely to make money off this, I'm afraid to say this. If you find that you are doing this for purposes of making money, stop; go do something else. If you are doing this for purposes of making money, the risks are too high that you will find yourself hit with a lawsuit, a criminal prosecution, or something else that not only prevents you from making money, but also makes your life hell. There have been too many other cases where security researchers were prosecuted for "hacking", when they were just trying to report or publicize a security vulnerability (not even try to exploit it for financial gain).

P.S. Here is Dan Kaminsky's informal, not-to-be-taken-too-seriously, summary of how things tend to work today:

White Hat Hacker Flowchart, from Dan Kaminsky

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • @micha - OK. I understand; sorry I didn't have better news for you. – D.W. Apr 14 '12 at 18:51
  • 1
    yeah adding legally is perfect and btw that Image is awesome. – noob Apr 14 '12 at 19:03
  • 4
    That's a very sensible answer. Because you _can_ steal something doesn't mean you are _allowed_ to steal it, even if it's tempting. But Micha, chances are good, that you will be able to find a job to your liking and that's worth a lot. – martinstoeckli Apr 15 '12 at 20:05