Safe Whitehatting
Right, so say I've found some nice exploits in rather decent sites. Now I want to report these to the site admins so that they can patch their servers and such. I also do not want to get arressted. And if possible, I would like a bit or compensation. The last there, is not really that important, but hey, im in college and if its possibleā¦ill do it. Any suggestions on the best way to go about this and not get locked up?
Except if the owner of the site is psyco and believe extraterrest exist, you shouldn't get arrested for finding exploit. Just send and email to the admin or bug report system and they will be glad about it. It's always what i do when i find exploit that are serious. Don't believe the CSI will seek after someone who found an exploit on an ordinary site.
Also don't believe you can get something out of it. Doing this is kindda dangerous because they can believe you want to take their website in hostage in exchange of something.
Also if you don't want to get answer about it send the message from a newly created hotmail account.
dont report it. big mistake.
i've done things like that in the past and all you get is a shitty reply saying "OMFG you hacker! im gonna report your ass you big prick!"
dont bother, its too much risk for absolutely no gain at all.
just leave it, if the webmaster is good he'll patch it. if not and they know nothing about website security, then its their problem, not yours. let them deal with it, much safer idea.
Mr_Cheese wrote: dont report it. big mistake.
i've done things like that in the past and all you get is a shitty reply saying "OMFG you hacker! im gonna report your ass you big prick!"
dont bother, its too much risk for absolutely no gain at all.
just leave it, if the webmaster is good he'll patch it. if not and they know nothing about website security, then its their problem, not yours. let them deal with it, much safer idea.
I agree. Its what got ME in trouble one time.
That was the craziest thing ever.
Don't report it. If someone exploits it, its his own damn problem.
Bl4ckC4t
I work as a computer security person. I would like if someone found an exploit in anything that I have that they would report it to me. It is all in your wording on how people are going to take it. If you write "I was tinkering around on your site and found that there are exploits in this area and this area" the security guy will most likely think "WTF are you doing messing around with my site" (in other words what many people have come across.) The other way if you do not want to get into trouble is you can contact the tech via phone and speak with them. Then you can offer your assistance to further the security on the site. If you contact them in person you will seem more professional and less like a threat.
but again it is totally up to you on what you do.
AldarHawk wrote: I work as a computer security person. I would like if someone found an exploit in anything that I have that they would report it to me. It is all in your wording on how people are going to take it. If you write "I was tinkering around on your site and found that there are exploits in this area and this area" the security guy will most likely think "WTF are you doing messing around with my site" (in other words what many people have come across.) The other way if you do not want to get into trouble is you can contact the tech via phone and speak with them. Then you can offer your assistance to further the security on the site. If you contact them in person you will seem more professional and less like a threat.
but again it is totally up to you on what you do.
Thats also true, but think f how badly corrupted the media has gotten hackers. People instantly get scared and start panicking when they think a hacker might try to exploit them.
The word "hacker" has gone from well respected to fully evil.
Bl4ckC4t