Website Vulnerability Buisness

[XenonNuemann]

What is the name of your state (only U.S. law)? CO


SWIM has learned over a course of time how to find vulnerabilities in websites.
SWIM can do it good and wants to start a independent business with what SWIM knows because SWIM is very good at it.
If SWIM found a vulnerability in a website and wants to tell the site about it, or offer a service on finding vulnerabilities, how would SWIM do that safely and legally?

 

[justalayman]

A phone call, a letter, an email

 

[XenonNuemann]

A phone call, a letter, an email

Saying what exactly?
How do I do it legally but gain from the service?

 

[justalayman]

Saying what exactly?
How do I do it legally but gain from the service?

Hey, I discovered a vulnerability in your website. I would be willing share my discovery if the price is right.





Fair warning: do not threaten them in any way and if you violated the law to probe their site to find vulnerabilities, don’t bother contacting. You can be prosecuted.

 

[XenonNuemann]

Hey, I discovered a vulnerability in your website. I would be willing share my discovery if the price is right.





Fair warning: do not threaten them in any way and if you violated the law to probe their site to find vulnerabilities, don’t bother contacting. You can be prosecuted.

Shouldnt it be more like
" Business of ____
We find Vuln. Exploits may be in your website allowing data to be leaked to hackers.... etc.
Willing to find and show problems for $x"

 

[justalayman]

Shouldnt it be more like
" Business of ____
We find Vuln. Exploits may be in your website allowing data to be leaked to hackers.... etc.
Willing to find and show problems for $x"

It’s your letter. You be as formal or as casual as you want to be.

I think tossing out a number without the website owner having any idea what the vulnerability is is pushing it a bit. How is he to know if it’s worth anything close to what your seeking for payment?


To be honest your letter sounds like those scam overlayed “warning. Your computer may be infected” warnings I get all the time about my computer or even those phone calls from “Windows” (ya know, the product Microsoft makes and Microsoft techs deal with). They just don’t know what to say when I tell them I don’t use a computer that runs Windows.

Introducing yourself and your company would be a much better opening. Don’t they teach you kids anything in school anymore?

 

[XenonNuemann]

It’s your letter. You be as formal or as casual as you want to be.

I think tossing out a number without the website owner having any idea what the vulnerability is is pushing it a bit. How is he to know if it’s worth anything close to what your seeking for payment?


To be honest your letter sounds like those scam overlayed “warning. Your computer may be infected” warnings I get all the time about my computer or even those phone calls from “Windows” (ya know, the product Microsoft makes and Microsoft techs deal with). They just don’t know what to say when I tell them I don’t use a computer that runs Windows.

Introducing yourself and your company would be a much better opening. Don’t they teach you kids anything in school anymore?

Im scared of it being illegal in the way I state it.
Like black mail or saying that I have hacked the site without permission to do this

 

[justalayman]

Im scared of it being illegal in the way I state it.
Like black mail or saying that I have hacked the site without permission to do this

I said long ago; if you violated the law to discover the vulnerability, just keep your mouth shut and walk away. You can be prosecuted if you broke the law and confessing to the person you violated isn’t a bright idea. About the only thing worse is calling the cops and saying; hey, just wanted you to know I broke the law.


As to blackmail; that’s why I said do not threaten them in any way. Don’t even say anything that remotely sounds like a threat as that it extortion (blackmail)



If you haven’t broken the law there is nothing wrong with selling them your information or skills.

 

[quincy]

Im scared of it being illegal in the way I state it.
Like black mail or saying that I have hacked the site without permission to do this

Don't hack the site and don't threaten. State what you found. You are unlikely to be paid for your discovery, so I wouldn't count on compensation.

 

[xylene]

SWIY needs to get off blulight.ru

 

[quincy]

SWIY needs to get off blulight.ru

Xenon, you might do better to start off working for an already established web security business and build your credentials before striking off on your own. I am not convinced you will be paid for what you know otherwise.

If you want to start your own web security business first, however, you will need to follow the proper steps in developing it - including registering your business with your state. Pick a unique name to identify your business and advertise.

Few will pay an unknown individual or entity on that person's/entity's unsubstantiated claims alone.

I suggest you consult with a business professional in your area and go over your plans.

 

[FlyingRon]

I'd be very careful of even poking at sites looking for vulnerabilities to offer to fix. I've been working in computer security since the seventies. Often when we fix a security vulnerability we put something to log attempts in. You may find yourself on the wrong side of an investigation if you trip one of these.

 

[quincy]

I'd be very careful of even poking at sites looking for vulnerabilities to offer to fix. I've been working in computer security since the seventies. Often when we fix a security vulnerability we put something to log attempts in. You may find yourself on the wrong side of an investigation if you trip one of these.

Good point.

Many/most websites have some sort of security system already that can detect intrusions.

There are so many internet security businesses right now that I would think it difficult to break into the field without a good background in web security.

 

[FlyingRon]

Yep, in all the cases I have attempted intrusions I had prior approval from the site. Even in the case where I was working for the Army and breaking into an Army site, we always told that site's security officer what we were doing. Only once did I have a site security person "burn" me by telling his site that we were working. My favorite was a security officer who played it cool when someone told him there were strange people around. He told them to follow the standard procedures.
(Our security efforts weren't just computer/network security but also physical security...I could tell some stories).

 

[quincy]

Yep, in all the cases I have attempted intrusions I had prior approval from the site. Even in the case where I was working for the Army and breaking into an Army site, we always told that site's security officer what we were doing. Only once did I have a site security person "burn" me by telling his site that we were working. My favorite was a security officer who played it cool when someone told him there were strange people around. He told them to follow the standard procedures.
(Our security efforts weren't just computer/network security but also physical security...I could tell some stories).

You appear to have been described accurately.