July 28, 2016 at 21:01What to do with the vulnerability found and what to do if there is no Bug Bounty program?
If you have information about the vulnerability and you think how much gratitude you can get for it, then in no case do not take an example from cases with companies such as Kyivstar , MTS , PrivatBank (already debunked: https://habrahabr.ru/ post / 306694 / ), and many others. After all, the worst way to assess the cost of vulnerability is to pay for the services of the company.
After my recent article: “ Why there are no white hackers in Ukraine or the history of the Kyivstar hack ”, which got on the “Most interesting at Geektimes” newsletter, I carefully read the comments and talked to some of my readers, I realized that I put pressure on the sore spot.
Vulnerability is definitely worth the money, in the worst case, those that a company could lose.
You can see the minimum vulnerability assessment in public Bug Bounty programs. This is the framework from and to in which it is worth thinking.
It is important to understand that vulnerability assessment without proper analysis is a purely subjective process, because everyone will say their number from the ceiling. This is somewhat similar to the evaluation of objects of art. Each item (vulnerability):
For those hackers who are far from this understanding and came up with Bug Bounty programs, where they announced a fixed price list for the described types of vulnerabilities and put this on a stream
Think about it, Malevich did not know how much his square would cost when he drew it.
But still, many naive hackers carry on their work and expect at least some gratitude, while the leadership stares at them with confusion, while the IT department, ending the third installment in DotA with his left foot, fixes a bug that was rolled out with thoughts “ they don’t pay extra for this. ”
Particularly smart leaders have already optimized the costs of testers' salaries by launching a bug bounty program, introduced fines and bonuses, linking them to the number of bugs found by the army of thousands of free hacker testers.
Not all people of a technical mindset have sales skills and can negotiate with top management, so if the company in the system of which you found the vulnerability has an open reward program and you agree to the announced price, then you can safely report.
If there is no program, then set your price, why not? This is your time and only you can appreciate it. In the end, there is a shadow market and various forums where, in sufficient anonymity, you can sell information for good money.
PS selling open and accessible to all information is not a violation of the law
After my recent article: “ Why there are no white hackers in Ukraine or the history of the Kyivstar hack ”, which got on the “Most interesting at Geektimes” newsletter, I carefully read the comments and talked to some of my readers, I realized that I put pressure on the sore spot.
Vulnerability is definitely worth the money, in the worst case, those that a company could lose.
In 2015, the loss from a data leak in an average company is estimated at approximately $ 3.8 million, according to a Ponemon report. & IBM.
You can see the minimum vulnerability assessment in public Bug Bounty programs. This is the framework from and to in which it is worth thinking.
It is important to understand that vulnerability assessment without proper analysis is a purely subjective process, because everyone will say their number from the ceiling. This is somewhat similar to the evaluation of objects of art. Each item (vulnerability):
- absolutely unique
- fake is not possible
- available in the singular
- for someone it’s not worth a penny, but someone is willing to pay millions.
For those hackers who are far from this understanding and came up with Bug Bounty programs, where they announced a fixed price list for the described types of vulnerabilities and put this on a stream
Think about it, Malevich did not know how much his square would cost when he drew it.
But still, many naive hackers carry on their work and expect at least some gratitude, while the leadership stares at them with confusion, while the IT department, ending the third installment in DotA with his left foot, fixes a bug that was rolled out with thoughts “ they don’t pay extra for this. ”
Particularly smart leaders have already optimized the costs of testers' salaries by launching a bug bounty program, introduced fines and bonuses, linking them to the number of bugs found by the army of thousands of free hacker testers.
Not all people of a technical mindset have sales skills and can negotiate with top management, so if the company in the system of which you found the vulnerability has an open reward program and you agree to the announced price, then you can safely report.
If there is no program, then set your price, why not? This is your time and only you can appreciate it. In the end, there is a shadow market and various forums where, in sufficient anonymity, you can sell information for good money.
PS selling open and accessible to all information is not a violation of the law