0

While playing with a site I have discovered a huge security problem. The thing is, if I tell them about it they might question what was I doing in the first place.

I was trying to hack my friends account. I wasn't planning to do anything with it. I was just very curious and wanted to try something. I didn't think it would work because it was one of the big companies in the world. However, it did!

I know, what I did was wrong and I will never do it again but for now what should I do?

user84187
  • 1
  • Do any of the answers in [How to disclose a security vulnerability in an ethical fashion?](http://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion) work for you? – gowenfawr Aug 24 '15 at 14:50

1 Answers1

3

You just found the issue, you didn't take advantage of the flaw and never intended to do harm (I assume you wouldn't do any harm to your friends).

However, every company should be happy if you report the issue to them. Big companies like Twitter or Facebook even pay nice bounties for this.

You might check out HackerOne if the company you are talking about is listed. In case it is, just go ahead and submit an issue. You don't have to worry about the "I tried to hack them, they will send the police and arrest me" scenario. In case it is not listed, try to browse their web if they offer some sort of bounty program themselves. If they don't you can still submit the issue to their support, etc.

bayo
  • 687
  • 3
  • 11