DEV Community

Stijn de Ligt
Stijn de Ligt

Posted on

How to ask for payment when finding security issues in a big website

Recently I discovered two medium size security hacks in an international platform that ironically enough specializes in security by means of phishing prevention.

These issues allowed me to have insight in their internal db and graphql structure and insert data that should not be there. With these hacks I could theoretically make the platform useless for some of their paying clients, but obviously I am not going to do that.

I'd like to point these out to them, but am not intending to go unpaid. How would you contact the people behind this platform with my intentions? It's important not to come off as threatening (I really mean no harm), and not to reveal the source of the issues right away.

As you might guess I have no knowledge about anything like this. If you think this is a bad idea to begin with feel free to share your thoughts as well!

Top comments (6)

Collapse
 
karandpr profile image
Karan Gandhi

Thats tricky.

1.) Check if they are in some bug bounty program like hackerone or bugcrowd. If they are , join those websites and route your findings through them.

OR

2.) Check if they have a bug bounty or security program. Mail your findings to their CISO or CTO. Keep a detailed findings of your write up.

OR

3.) Check where the company are located,
Check cyber security laws of your country,
Check cyber security laws of their country.
Check if they can sue you in your country .
Check if your country can protect you if you got sued.

If they can sue you & you cannot lawyer up then just forget it. The bounty is not worth the hassle. Your intentions don't matter. Even if you intend to be a responsible developer, chances are the companies are going to sue you and implicate you any losses they feel may have been caused by you.

Btw if you even want to provide responsible disclosure without getting paid, don't bother unless you can lawyer up.

Collapse
 
tealover418 profile image
Stijn de Ligt

Awesome! Turns out they are part of HackerOne. Never heard of those sites so thank you!

Collapse
 
karandpr profile image
Karan Gandhi

Thats great news !
Also , welcome to the dark side.

Thread Thread
 
tealover418 profile image
Stijn de Ligt

Update: The issue was real but I was the second one to report it :(
Still a pretty cool experience so thanks for helping me again!

Thread Thread
 
karandpr profile image
Karan Gandhi

cool

Collapse
 
michaeltharrington profile image
Michael Tharrington

It sounds like you've already been helped here, but just to note that if you find any security issues with DEV, you can report them following the process outlined here.

Something that you may want to try to do when reporting the issue is defining how severe it is. You can take a look at BugCrowd's taxonomy rating for information specific to this. I'm not sure if it'll make too much of a difference, but if you report it and let them know you're aware that it's a pretty severe issue, this might tip the scales in your favor.

Best of luck in reporting this issue! I hope ya get a decent payout. 🙌