What to do with the found vulnerability and what to do if there is no Bug Bounty program?
If you have information about the vulnerability and you think how much gratitude you can get for it, then by no means take an example from cases with companies such as Kyivstar , MTS , PrivatBank (already debunked: https://habrahabr.ru/ post / 306694 / ), and many others. After all, the worst thing in which you can estimate the value of a vulnerability is the payment for the company's services.
After my recent article: “ Why in Ukraine there are no white hackers or the history of hacking Kyivstar ”, which was included in the “Most interesting on Geektimes” newsletter, I carefully read the comments and communicated with some of my readers, I realized that I was putting pressure on a sick corn.
Vulnerability is definitely worth the money, at worst, those that a company could lose.
You can see the minimum vulnerability assessment in public Bug Bounty programs. This is the whole frame in and out of which to think.
')
It is important to understand that vulnerability assessment without proper analysis is a purely subjective process, because everyone will say their number from the ceiling. This is somewhat similar to the evaluation of objects of art. Each item (vulnerability):
For those hackers who are far from this understanding and invented the Bug Bounty program, where they announced a fixed price list for the described types of vulnerabilities and put it on stream
Just think, because Malevich did not know how much his square would cost when he was painting.
But so far many naive hackers carry their creativity and expect at least some kind of gratitude, while their leadership is uncomprehendingly watching the management, while the IT department, fixing the third batch of dota with its left foot, fixes a bug that rolled out with thoughts. I do not pay extra for it. "
Particularly clever managers have already optimized the salaries of testers, running a bounty bug program, imposed fines and bonuses, tying them to the number of bugs found by thousands of army of free testers, hackers.
Not all people of a technical mindset have sales skills and can negotiate with top management, so if a company in whose system you find a vulnerability has an open reward program, and you agree to the announced price, then you can safely report.
If there is no program, then assign your price, why not? This is your time and only you can appreciate it. In the end, there is a shadow market and various kinds of forums where, in sufficient anonymity, you can sell information for good money.
PS selling open and accessible information is not against the law.
After my recent article: “ Why in Ukraine there are no white hackers or the history of hacking Kyivstar ”, which was included in the “Most interesting on Geektimes” newsletter, I carefully read the comments and communicated with some of my readers, I realized that I was putting pressure on a sick corn.
Vulnerability is definitely worth the money, at worst, those that a company could lose.
In 2015, data loss losses at an average company are estimated at approximately $ 3.8 million, according to a Ponemon report. & IBM.
You can see the minimum vulnerability assessment in public Bug Bounty programs. This is the whole frame in and out of which to think.
')
It is important to understand that vulnerability assessment without proper analysis is a purely subjective process, because everyone will say their number from the ceiling. This is somewhat similar to the evaluation of objects of art. Each item (vulnerability):
- absolutely unique and inimitable
- it is impossible to forge
- is present in the singular
- for someone not worth a penny, and someone is willing to pay millions.
For those hackers who are far from this understanding and invented the Bug Bounty program, where they announced a fixed price list for the described types of vulnerabilities and put it on stream
Just think, because Malevich did not know how much his square would cost when he was painting.
But so far many naive hackers carry their creativity and expect at least some kind of gratitude, while their leadership is uncomprehendingly watching the management, while the IT department, fixing the third batch of dota with its left foot, fixes a bug that rolled out with thoughts. I do not pay extra for it. "
Particularly clever managers have already optimized the salaries of testers, running a bounty bug program, imposed fines and bonuses, tying them to the number of bugs found by thousands of army of free testers, hackers.
Not all people of a technical mindset have sales skills and can negotiate with top management, so if a company in whose system you find a vulnerability has an open reward program, and you agree to the announced price, then you can safely report.
If there is no program, then assign your price, why not? This is your time and only you can appreciate it. In the end, there is a shadow market and various kinds of forums where, in sufficient anonymity, you can sell information for good money.
PS selling open and accessible information is not against the law.
Source: https://habr.com/ru/post/306634/
All Articles