I found a vulnerability in a food delivery app api that allows me to add credit to my account. I ate my first free meal today but i feel bad about it. What should i do 😞.

1- continue hacking free credit and eating free food.

2- stop and forget i found this bug

3- report the bug in exchange for money/credit

4- report the bug for free

3

1 - jail
2 - no
3 - yes*
4 - yes*

* if you're a security expert stick to 3
If not, try 3

Depend on the person, they’ll can sue you even if you have good intentions

@devTea unfortunately that's true. Read some articles about white-hats in Russia reporting an exploit and being jailed.

(I know, Russia and white-hats. Sounds not credible)

Didn't Darlene in Mr.Robot do something similar ?

You folks will end up in jail as examples.

You can look around for potential breaches but for fuck sake stop exploiting it... Don't be a fool thinking they'll greet you with « hey nice job bruh, enjoy our service is free foreva' ».

It's a bad time for dicking around.

Come into the field if you like pentesting.

@devTea that dick move would be scary tho. Makes #2 seem plausible.

5- give me the application name

create a new throw away E-mail address. Tell the m about the bug. Forget about it. Maybe take another free meal as "compensation".

Clean up your tracks. Send an anonymous email with as much info as possible.

Post the steps here to teach the fellow devs

I am more concerned by the fact that you had to ask that question.

5. Share the vulnerability with us to unlock some bro points

Or 6 - end world hunger

Send them a anonymous email with the bug details, a demonstration, and instructions on how to donate with bitcoin

5- tell us the exploit so we can.. report it...

I've scammed a whole bunch of burritos out of one app. It seems to give me more reward points each time (as if I'd bought one) instead of taking them away (spending on the free one). I didn't do anything to hack it, and it's survived a change of phone, but it hasn't worked for colleagues.

I suggest #2. What you are doing is still theft. Would you take food without paying in a restaurant?

5 keep going and give the food to the homeless and change name to robin hood

Depends on the company. If they have a bug hunter program, by all means report it and give them their 3 month nondisclosure time. If not, I've found from experience that some companies tend to get way too much up their own ass about these things and try to sue you even if you do the whole disclosure right, with the best intentions. Ass-coverage of incompetence and so forth. It's what required me to drop out of school. Nowadays I'd first ask them about how they deal with security vulnerability reports and make them sign a contract stating no legal action will be taken as long as industry standards are abided by. The competent ones might sign it, giving you the ass-coverage from them you need. Then privately report.

In general though, assume that most companies - especially the small ones - are beyond hope in this regard...

@Nanos banks too. I've heard a fair few stories in which they love using their lawyers instead of getting some proper security folks on their legacy crapware.

@Nanos Haha, libraries, yeah. I had a few occasions in which I forgot to bring back a book, saw it getting expired.. and nothing happened. Makes you wonder just how much that "registration before lending" is really worth... Heck, even without all of that crap, if you're not a member, just take a book and put it in your backpack, you could easily get away with that.. incredible how they even still have books at all. The moral compass of people that visit libraries is far stronger than libaries' security I guess.

I know a guy who got fined for thousands of euros for typing "someurl.com/../". It was a charity website that didn't display a thank you page when he donated some money. Got him interested, thought it was a scam, tried some easy pentest stuff (like typing /../). Didn't work out. Four days later he was arrested. Judge literally apoligized for giving him a fine as there was absolutely no malicious intent, but he technically was trying to hack a system and that's illegal.

TL;DR - Never hack any system unless you've got explicit, written constent by the party you're trying to hack. It doesn't matter how easy it is. Never ever do it.

In this case, cover your tracks and go for option 4 from an anonymous email account.

Tell us tell us PLEASE 😁

@rutee07 you're hired.