Computer Hacking (security): I have found a major vulnerabilty in a major website. How can i turn this into making my profit or atleast my employment?
-
I am a final year engineering student about to graduate. Recently I have found a major vulnerability in a major website which if exploited can lead to significant loss to the government. How can i legally turn this into making my profit or at least my employment (I am looking for placement into a nice company)? If i email to any mid level employee into the company, chances are that they will notice and patch the vulnerability without a hint to the higher authorities and i will get a mere thank you. I want to know that is there a LEGAL way that i can possibly show the company the vulnerability and ask for my compensation?
-
Answer:
I'm not sure if the vulnerability is a government site or a commercial site so I'm going to be a bit generic in my answer. First of all many major websites have vulnerability reward programs that will pay you for vulnerabilities. You may be able to get a cash reward by reporting your find to the website operators. For example of such a program see Google's Vulnerability Reward Program at http://www.google.com/about/appsecurity/reward-program/. Some organisations that run vulnerability reward programs also publicly credit reporters for their efforts which can be useful to your career (see http://www.google.com/about/appsecurity/hall-of-fame/) or even invite you to interview for their security team. If they don't have a formal program they might have an informal program and be willing to reward you or publicly credit you for disclosing the vulnerability. Make sure you do not require compensation before you disclose your information, this could be seen as extortion and might get you in trouble. Another way to potentially profit from a vulnerability discovery is to contact a security broker like the Zero Day Initiative (http://www.zerodayinitiative.com/) that will pay money for security vulnerabilities. These companies are usually less focused on web security and more focused on native code applications. The http://blog.nibblesec.org/2011/10/no-more-free-bugs-initiatives.html has a list of resources for how you can get paid for security vulnerabilities. Finally if none of these options appeal to you there's always the public disclosure route (whether you take the "Full Disclosure" or "Responsible Disclosure) this will ensure that there's a public record of your find which you can point people to on your resume, blog, etc. EDIT (after reading the question again, I'll more directly answer here): It's generally not possible to disclose a bug and ensure that you get paid. Holding out for compensation before disclosure is legally risky and likely to build bad will with the affected organisation. Generally, in the absence of an organised vulnerability reward program the best approach is to ask around, see if you can find a senior security person to contact directly. Reach out to them and share all the details with them and mention to them that you'd like to be compensated. They may compensate you or they may not, there's not a lot you can do. Otherwise you'll either need to find someone else who will pay you for the vulnerability (in an ethical and legal way) or be happy with a thank you and maybe a little public recognition.
Paul Chamberlain at Quora Visit the source
Other answers
Why not talk to the appropriate personnel and get a recommendation letter once you disclose? The letter can then be used during interviews for jobs. If you benefit from the vulnerability with money, you may be perceived to be money minded in job interviews. But if you get a recommendation letter from the affected organization, it may be perceived as a noble thing. Again it is your choice. :)
Anil Saldanha
no formal legal way I know of unless selling it on the 'darknet' to 'blackhats' is legal where you live? ie no real 'ebay type' Legitimate Zero-Day Exploit Market (there is a FB group)
Chris Rutherford
Related Q & A:
- How can I turn a trial version game into the full version?Best solution by Yahoo! Answers
- How can I turn around the image of a video?Best solution by Yahoo! Answers
- How Can i turn a black and white picture back into a colored picture?Best solution by Yahoo! Answers
- How can I turn my dual sub box into a single sub box?Best solution by Yahoo! Answers
- How can I turn my idea into a product?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.