Answer the question
In order to leave comments, you need to log in
Why don't they pay for vulnerabilities, what am I doing wrong?
Greetings,
A reckoning of circumstances led me to the fact that I decided to change the type of activity and now it is connected with the search for vulnerabilities on various reputable sites.
After a serious vulnerability is found, I almost always write to admins / owners, etc., more often I try to get in direct contact immediately to communicate with the person in charge, as a result, only 1 out of about 70 companies pays "thank you" at least something.
And I thought, what am I doing wrong?
Over the past month, examples:
#1 of the bank's website contacted in an online chat, wrote to support, the hole with access to MySQL data was patched, nothing was answered after that.
// The customer base was available, people's loan requests, I didn't dig further
#2 Children's goods store, in the database (more than 50 thousand orders, customer base 400 thousand), paid $ 50
// Gorgeous customer base
#3 Cloud accounting system
// About 70 thousand customers. Data of all users, logins and passwords are available. Paid $50
Damn it, what am I doing wrong? These customer bases are of great value to competitors and can damage a company's image. But I do what is right and right.
I will be glad for good advice
Answer the question
In order to leave comments, you need to log in
After a serious vulnerability is found, I almost always write to admins / owners, etc., more often I try to get in direct contact immediately to communicate with the person in charge, as a result, only 1 out of about 70 companies pays "thank you" at least something.
First, agree on the search for vulnerabilities and then look, you can conclude an agreement.
Because the professionals in this business download sites themselves, they have parsers configured, there are servers for this.
OOOO go work for a hamster there and the sites are bigger and pay better
sakurity.com
He always hires pentesters
You can find a vulnerability without a contract; after a vulnerability is found, you can report it, but without revealing the essence of the error. By the way, I somehow didn’t remember where they were looking for potential customers from Kaspersky’s lab :)
The most important thing when finding it is not to use the data received and not to change the system, otherwise it will be a criminal.
Become blackhat? Well, or first negotiate, and then look for vulnerabilities? Or look for vulnerabilities where they are paid for?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question