4 years ago, during our college, a friend of mine was explaining us about hacking using simple SQL injections. He showed us some of the sites he hacked. Out of curiosity we tried it on college internal website it worked. We had access to all the details of all the students in university, and even the lecturer's information. We informed the management , they were shocked on seeing this. They had just spent 25 lakhs for this website couple of months ago.

Good on you for being a white hat. Welcome to devRant

Also keep in mind that not all companies/government entities are happy about being informed about weaknesses in their system. It is a sad truth, but sometimes doing companies a favour can come back to bite you in the ass.

@wizzzard create a protonmail account for that 😉

I found several major bugs in a large company's website (one you would know), made a one page report for all of them including risk factors, possibility they are already exploited and how to fix them.

One of the bugs included ability to get full details for all their users including name, addresses, phone numbers, PayPal emails.

They made a CVE for each exploit with most listed as high or medium risk.

Guess what my thanks was?
They told me thanks for all my work and that they would shout a beer for me next time I'm in (city in USA).

Our college contacted the company who developed the website... They fixed some security bugs... We weren't able access anything after a month.

I SQL inject at work when putting in a request for db access is going to take too long... I patch the nasty code afterwards and everybody wins but damn it sucks to see vulnerable code in this day and age.