M
M
Mouvdy2015-09-27 00:50:00
Information Security
Mouvdy, 2015-09-27 00:50:00

Why don't they pay for vulnerabilities, what am I doing wrong?

Greetings,
A reckoning of circumstances led me to the fact that I decided to change the type of activity and now it is connected with the search for vulnerabilities on various reputable sites.
After a serious vulnerability is found, I almost always write to admins / owners, etc., more often I try to get in direct contact immediately to communicate with the person in charge, as a result, only 1 out of about 70 companies pays "thank you" at least something.
And I thought, what am I doing wrong?
Over the past month, examples:
#1 of the bank's website contacted in an online chat, wrote to support, the hole with access to MySQL data was patched, nothing was answered after that.
// The customer base was available, people's loan requests, I didn't dig further
#2 Children's goods store, in the database (more than 50 thousand orders, customer base 400 thousand), paid $ 50
// Gorgeous customer base
#3 Cloud accounting system
// About 70 thousand customers. Data of all users, logins and passwords are available. Paid $50
Damn it, what am I doing wrong? These customer bases are of great value to competitors and can damage a company's image. But I do what is right and right.
I will be glad for good advice

Answer the question

In order to leave comments, you need to log in

6 answer(s)
D
Daemon23RUS, 2015-09-27
@Daemon23RUS

After a serious vulnerability is found, I almost always write to admins / owners, etc., more often I try to get in direct contact immediately to communicate with the person in charge, as a result, only 1 out of about 70 companies pays "thank you" at least something.

IMHO it's about the ability to negotiate with the owner of the business. You manage to find a vulnerability, but you fail to convey the value of your find to the owner. There is no limit to improvement, there is room to grow ...

O
Optimus, 2015-09-27
Pyan @marrk2

First, agree on the search for vulnerabilities and then look, you can conclude an agreement.
Because the professionals in this business download sites themselves, they have parsers configured, there are servers for this.

P
Puma Thailand, 2015-09-27
@opium

OOOO go work for a hamster there and the sites are bigger and pay better
sakurity.com
He always hires pentesters

E
Evgeny Lavrentiev, 2015-09-27
@lavrentiev

You can find a vulnerability without a contract; after a vulnerability is found, you can report it, but without revealing the essence of the error. By the way, I somehow didn’t remember where they were looking for potential customers from Kaspersky’s lab :)
The most important thing when finding it is not to use the data received and not to change the system, otherwise it will be a criminal.

C
c0de, 2015-09-27
@c0de

Become blackhat? Well, or first negotiate, and then look for vulnerabilities? Or look for vulnerabilities where they are paid for?

A
asd111, 2015-09-27
@asd111

The cougar is talking business - Khomyakov is constantly looking for specialists.
And so there is also such a site: https://hackerone.com/ - there are a lot of different companies ordering pentests and paying.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question