Earn discovering bug and security issue

[bio_n3t]

Some weeks ago, an Italian TV interviewed a man who lives by discovering bug and security issue, he says that he can earn from 40.000 to 600.000 € per year!! O.o
Now my question is: how can this people do this? I mean, he look for a security hole and then he asks to the owner of the site to be paied to solve the problem?
Is it legal or not?

I hope this is the right place to post my question, thanks! 

[lucid]

It sounds like you are referring to white hats. A white hat may hack a server and then report the vulnerabilities to the company that he hacked. It is possible to make money doing this and yes it is legal. Not everyone will make as much money as he but it is possible.

[Kulverstukas]

There are sites that buy your discovered flaws, amount of money you get depends on the flaw - I can't remember the site now.

You can also sell those bugs on some "black market"... but this goes from legal to not very legal and you have to know your stuff...

But living freelance like that sucks IMO, because your wealthiness depends on the number of bugs in the code etc.

[bio_n3t]

Yes I would like to report vulnerabilities but at the same time earn some money cuz I spent time to find bugs... now I just have reported an issue to a webmaster and he propose me to solve. I have said my offer and now I'am waiting for a reply... the problem is: how can I know how much I can ask to pay me?

[Kulverstukas]

Well you will have to research how much usually such bugs cost...

[xor]

It's usually frowned upon to test someone's' website or server without permission and in almost all countries, the sheer act of doing this is already breaking the law.

However, if you do find an owner who is not an asshat about you trying to help, you have to be very care if you are going to ask for money. If you decide to release the information if they don't pay, or they don't want your help fixing it, then you are technically attempting to extort them, another illegal act.

[Z3R0]

As xor said, it is not very acceptable to just be like, "Oh hi, I hacked your website." Now if you approach them in a professional manner and say something along the lines of,

Dear webmaster, I have discovered a [rfi/lfi/xss/sqli] flaw on your FQDN, bigbootybitches.com. In regards to confidentiality, I will not disclose the vulnerability to any third parties. With that said, I have knowledge in web application security, and if you would like to work out a deal that's beneficial to both of us I would be more than happy to help fix the issue at hand. If you decline, it is okay, and I'm happy that you are now atleast aware of the vulnerability, but if you would like to continue this conversation my contact information is [address, phone number, etc]. Thank you, and I look forward to your reply.
-Your Name

If you approach them in a manner similar to what I said above, they'll be more willing to work something out with you than if you were just like, "Hi I hacked your website, I'll fix it for $50 dollars."

Now if you do end up disclosing after saying you wouldn't, you'll be subject to far worse legal ramifications than if you were to just hack it for the lols.

[bio_n3t]

Can I say that "I found the issue casually"? 
For the money: I have never asked for money directly, first of all I report the problem without talking about money and then if they propose me some jobs I accept 
I write something similar to what m0rph posted 

[noob]

If is not 0day they will propably fix it by web admin if you report vulerability,he will trow couple scans, find unpached holes and fix it.If you have 0day you can make decent money if you send like 100 mails about 100 vulnearble systems
Anyway i agry with m0rph,its nice aproch and they got a feeling of you like a nice person.If you are a nice person.If you not ,put some backdoors ,dump databases and blackmail them 

[bio_n3t]

LOL  Yes I will do as you and m0rph said and yes I am a nice person 

[bluephantom]

LOL  Yes I will do as you and m0rph said and yes I am a nice person 

i think so