Author Topic: Earn discovering bug and security issue  (Read 1980 times)

0 Members and 1 Guest are viewing this topic.

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Earn discovering bug and security issue
« on: April 16, 2012, 10:29:44 pm »
Some weeks ago, an Italian TV interviewed a man who lives by discovering bug and security issue, he says that he can earn from 40.000 to 600.000 € per year!! O.o
Now my question is: how can this people do this? I mean, he look for a security hole and then he asks to the owner of the site to be paied to solve the problem?
Is it legal or not?

I hope this is the right place to post my question, thanks!  :)

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: Earn discovering bug and security issue
« Reply #1 on: April 16, 2012, 11:15:46 pm »
It sounds like you are referring to white hats. A white hat may hack a server and then report the vulnerabilities to the company that he hacked. It is possible to make money doing this and yes it is legal. Not everyone will make as much money as he but it is possible.
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Earn discovering bug and security issue
« Reply #2 on: April 17, 2012, 07:36:17 am »
There are sites that buy your discovered flaws, amount of money you get depends on the flaw - I can't remember the site now.

You can also sell those bugs on some "black market"... but this goes from legal to not very legal and you have to know your stuff...

But living freelance like that sucks IMO, because your wealthiness depends on the number of bugs in the code etc.

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Earn discovering bug and security issue
« Reply #3 on: April 17, 2012, 05:48:28 pm »
Yes I would like to report vulnerabilities but at the same time earn some money cuz I spent time to find bugs... now I just have reported an issue to a webmaster and he propose me to solve. I have said my offer and now I'am waiting for a reply... the problem is: how can I know how much I can ask to pay me?

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Earn discovering bug and security issue
« Reply #4 on: April 17, 2012, 08:01:43 pm »
Well you will have to research how much usually such bugs cost...

xor

  • Guest
Re: Earn discovering bug and security issue
« Reply #5 on: April 18, 2012, 01:46:57 pm »
It's usually frowned upon to test someone's' website or server without permission and in almost all countries, the sheer act of doing this is already breaking the law.

However, if you do find an owner who is not an asshat about you trying to help, you have to be very care if you are going to ask for money. If you decide to release the information if they don't pay, or they don't want your help fixing it, then you are technically attempting to extort them, another illegal act.

Z3R0

  • Guest
Re: Earn discovering bug and security issue
« Reply #6 on: April 18, 2012, 04:01:13 pm »
As xor said, it is not very acceptable to just be like, "Oh hi, I hacked your website." Now if you approach them in a professional manner and say something along the lines of,
Quote
Dear webmaster, I have discovered a [rfi/lfi/xss/sqli] flaw on your FQDN, bigbootybitches.com. In regards to confidentiality, I will not disclose the vulnerability to any third parties. With that said, I have knowledge in web application security, and if you would like to work out a deal that's beneficial to both of us I would be more than happy to help fix the issue at hand. If you decline, it is okay, and I'm happy that you are now atleast aware of the vulnerability, but if you would like to continue this conversation my contact information is [address, phone number, etc]. Thank you, and I look forward to your reply.
-Your Name
If you approach them in a manner similar to what I said above, they'll be more willing to work something out with you than if you were just like, "Hi I hacked your website, I'll fix it for $50 dollars."

Now if you do end up disclosing after saying you wouldn't, you'll be subject to far worse legal ramifications than if you were to just hack it for the lols.

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Earn discovering bug and security issue
« Reply #7 on: April 18, 2012, 05:09:03 pm »
Can I say that "I found the issue casually"?  :D
For the money: I have never asked for money directly, first of all I report the problem without talking about money and then if they propose me some jobs I accept  ;D
I write something similar to what m0rph posted  ;)

Offline noob

  • Knight
  • **
  • Posts: 202
  • Cookies: 29
    • View Profile
Re: Earn discovering bug and security issue
« Reply #8 on: April 19, 2012, 03:39:33 am »
If is not 0day they will propably fix it by web admin if you report vulerability,he will trow couple scans, find unpached holes and fix it.If you have 0day you can make decent money if you send like 100 mails about 100 vulnearble systems :)
Anyway i agry with m0rph,its nice aproch and they got a feeling of you like a nice person.If you are a nice person.If you not ,put some backdoors ,dump databases and blackmail them  :o

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Earn discovering bug and security issue
« Reply #9 on: April 19, 2012, 10:18:56 am »
LOL  ;D Yes I will do as you and m0rph said :) and yes I am a nice person  ;)

Offline bluephantom

  • Serf
  • *
  • Posts: 23
  • Cookies: 0
  • Malanghackerlink
    • View Profile
    • My Profile
Re: Earn discovering bug and security issue
« Reply #10 on: April 20, 2012, 05:53:00 am »
LOL  ;D Yes I will do as you and m0rph said :) and yes I am a nice person  ;)

i think so  8)
“Maybe there are no right moments, right guys, right answers, maybe sometimes you just to say what’s in your heart”