Answer the question
In order to leave comments, you need to log in
Punishment for finding vulnerabilities?
Hello. In general, I sit on one site from my real ip, I use the site. Suddenly I find a vulnerability on this site (not very serious), in short: the vulnerability allowed viewing hidden user data (for example, an email address). I exploited the vulnerability on my second account. As a result, I decided to report this vulnerability to the site owners by mail. Everything is OK, the answer comes: "Thank you! Bla-bla-bla"
As a result, the vulnerability was fixed. Later, I found another vulnerability that allowed me to change elements on a web page (something like xss, but without the possibility of injecting js code). As a result, I told them again, they answered: “Thank you! Bla-bla-bla! We would like to give you a gift from our company - a branded ... (thing, I won’t name it) blah-bla-bla, we couldn’t would you provide an address?"
And now I think: "Is it worth giving them the address? It seems like I'm sitting on the site from a real ip, if they wanted to punish, they would have punished already." It seems like he did not exploit vulnerabilities for evil purposes, but simply found and informed them. Will there be any responsibility for this? If so, how difficult is it to prove malice (which was not)?
Answer the question
In order to leave comments, you need to log in
Will not.
Unless they linked the second account to the first one, but it’s unlikely, especially if it’s some kind of online game, where, according to tradition, developers don’t care about cheaters.
More like a thank you. Well, stimulate to look for vulnerabilities further.
You had to do some decent damage for them to want to punish you.
One must always remember the saying: "No good deed goes unpunished."
According to the subject - it's better not to get involved, because there is a big risk that they will try to hang all the dogs on you (failures in the site, hacks by other hackers, and simply the incompetence of the attendants). Of course, in the end, you will certainly be acquitted by our humane court. But to be under investigation, to survive the seizure of office equipment as material evidence and other delights - do you need this?
For the future - if you find a bug and want to make money, offer to conclude a written contract for a "security check". Only in this case you will protect yourself from fools. But it is not exactly.
I would not.
It's about the same as you walk down the street and find a gun / a bag of dope / a wallet with a hundred thousand bucks. What to do in this case? Yes, just pass by.
Why? Yes, because if you didn’t conclude an agreement to test the site for breaking resistance or search for errors, they can sew on Criminal Code 272. Of course, they can’t sew it on, but all the same, your nerves will be pretty shaken.
I found this in one site, but I reported the hole publicly. There was a temptation to somehow use it and collect a database for all users of the site, but laziness won out. As a result, after the message, everyone could make sure there was a problem, and after 1-2 days the developers fixed it. A few years have passed - no one was persecuted. But they weren't awarded.
PS do not think that there was critical information, only emails
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question