I need advice.

So let's say, hypothetically, I found a site with a user data leak.

Would it be illegal if I only told them where the leak was for a bounty?

I am NOT going to distribute the user data. I just don't want to work for free, you know?

Again: NOT DISTRIBUTING USERDATA. No blackmail. Just information that their QA should have caught.

  • 5
    If you obtained the information and can produce a repro without any sort of hacking or privileged access, there shouldnt be an issue.

    If they don't have a bug bounty program, there's no guarantee you'll get money out of them though.
  • 2
    @SortOfTested Basically, there's a sequential numerical ID, and you can replace your ID in the URL with your ID - 1 and get someone else's data.


    I don't want to tell them unless I get something from them. Not money, but a virtual good (think vbucks, but not). I use this service.
  • 8
    @AlgoRythm so holding them to extortion for telling them about a data leak.

    Just remember, your data is in there too 😉
  • 3
    @C0D4 But is it legal though

    I have NO obligation to tell them that they have fucked code.

    I am 99% sure I am not forced to tell them
  • 4
    It's hard to get paid for zero days unless you're a security firm. It's generally cheaper to sue you.

    You're probably better off trying to sell to zerodium or someone with the pocket change to approach said company on the level.
  • 1
    @SortOfTested The service I want would cost them nothing (not even in lost profits - I didn't plan on buying it) and even if I took it out of my own pocket it would only cost about $100

    For as many as 17k records of user data (My ID was 17,000-something) I think they may be interested?
  • 1
    @AlgoRythm your right, you don't have an obligation to tell them and they don't have an obligation to "reward" you if you do.

    But, extracting said data and using it against them or publishing publicly, that's usually where the line gets drawn on legalities.

    However, if said data is exposing private information about users, and I'm assuming your a user too?

    wouldn't you prefer it plugged since it's also your data open to the world.
    Chances are you're not the first to stumble on that mishap.
  • 1
    @C0D4 The data that the leak exposes has already been leaked for me. No password information.

    000webhost leaked my email and name AND PLAINTEXT PASSWORD many years ago. Now my data is worthless!

    So these guys can suck a cock if they won't award me

    EDIT: AND TO BE SUPER CLEAR, I'm not collecting or selling this user data, ever.
  • 1
    There's no way to be sure until you tell them.

    Most companies don't have big bounties and "Give me something and I'll tell you something is usually not a great way to start such a conversation."

    Even companies with bug bounties ... you never know.
  • 2
    @AlgoRythm wait what!?!

    you use the same email and password as you did back then, to this day?
    I think that's where your problem may be in general.
    Password reuse is beyond a no no these days.

    There are sites that make that data publicly available despite the legalities of it - not talking about "haveibeenpwned"

    Your data is only as worthless as you make it, reusing passwords is a sure fine way to reduce its worth and potentially open you up to identify fraud.
  • 1
    @C0D4 No, the password is different, the email is the same.

    I mean, this potential leak has the email that the 5+ year old leak already exposed, so I don't care if it is leaked. It's already out there. I get spam emails daily.

    As for protecting others, fuck it. At least for now. Maybe in a week my guilt will get to me
  • 1
    @AlgoRythm my emails as been around the block numerous times.

    Setup spam rules and add 2/MFA and away you go again, if another breach occurs, it's only 1 of your accounts and not all of them.

    Back to your issue though, not every internet user is smart enough or has the brain cells required to not reuse their passwords, so you'd be doing a public service with / without a reward.
  • 1
    @C0D4 My actual email has never been breached, thank God. But my 000 account, obviously, was. Luckily there was no payment info there. And nothing else got broken into. So, I have never been negatively affected by a breach.
  • 1
    @M1sf3t Yeah, I think that last sentence is key.

    I am pretty sure they already had an even bigger leak.
  • 2
    @AlgoRythm consider this. Yes you might help them for free, but if every one thought like you how many leaks would go unpatched and stay open for criminals.

    Only telling them if you get payed is in my opinion very selfish and short sighted.
  • 1
    @Voxera There are very many leaks unpatched. I have been in at least 5.

    I'm jaded about it, and selfish.

    All I do is make sure the things I produce are solid. I don't work for others. Not for free, at least.
  • 2
    @AlgoRythm fighting leaks is not only helping the company, but all other users.

    So what your saying is that if any of us are a user of that service your selling us out to ...
  • 1
    @Voxera Despite using the service, I hate the company too!

    Like I said, I'm jaded. I see it's not moral. It's not white hat. But I don't really care all that much right now.
  • 1
    So a friend who is a security tester often finds such stuff.

    He reports, they fix it. And everything over.

    When he demands any compensation, at max they give him a certificate.

    I don't know what to do but definitely don't go the straight way.

    First let them know you have found something with evidence which they cannot track.

    Get it on email that they'll pay you.

    Show them the loophole.


  • 2
    It isn't illegal to sell information about bugs.
    But that doesn't matter, if your diplomacy level isn't high enough to make your offer not sound like an extortion.
    The risk of getting sued far outweights the possible reward of a meager 100 bucks.

    So either sell to a broker,
    sell to them anonymously for cryptocurrency (make sure to get your opsec right),
    just tell them for free,
    tell someone else for free,
    or keep the 0day for yourself.
  • 2
    I've heard a few stories like this with unfortunate outcomes. Worst case is that the company treats it like a hack on their unhackable system - either to save face or they simply don't know the difference between "leaving the keys in the door" and a break-in.

    There was a thing here in Norway a couple years ago where a student alerted his school about a security hole (user information was publicly accessible if you just knew the path), and after it was ignored he exploited it as a means to alert the owners which got him reported to the police. The whole thing was treated as if he caused a leak.

    Not sure if there's any english articles out there but just for reference: https://vg.no/nyheter/innenriks/...

    He shouldn't have exploited it, but I feel I see this a lot. People will jump at any chance to defer blame.
  • 2
    Not using an UUID for user profiles these days is a sin.

    But in general, they didn't hire you to do a security audit, so they don't have to pay you anything at all. Theres no contractual need to give you anything or even listen to you, what's more, they might argue that you found the hole because you were looking for it and that you had bad intentions and even sue you.

    Most wont go that far from what I hear, and often they give rewards if they are a good sport, but you can't call it "working for free". That's not what happened. You found it on your own time out of your own iniciative and That's all

    You're prolly better off keeping it to yourself and forgetting about it. Or try mailing them from an anonymous account and just explain the situation and wait for a response. But definitely don't try to "if else" them, that's essentially blackmail.

    Sounds like this:
    "I have porn of you, and i'll delete it if you pay me, but don't worry, I'll keep it to myself if not"
  • 1
    In Hungary, some guy reported a similar bug to a governmental company. He didn't want to do anything, just thought he could report. They called him a hacker, and he got a financial penalty and almost also prison sentence.
  • 0
    Dropping a comment here cuz this Rant might last long
  • 0
    @theabbie what do you mean
  • 0
    @AlgoRythm I thought this Rant will gain lot of attention
Add Comment