Author

Topic: I found an exploit. Where to sell? (Read 1813 times)

hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons
January 12, 2017, 09:03:24 AM
#19
I think, I have taken enough time to think about this matter. Since this is an exploit not in the forum software, but somewhere else that affects alot of service being sold in the forum, I find examining the bug bounty program of these services in the https://bitcointalksearch.org/topic/overview-of-bug-bounty-programs-for-bitcoins-483195 thread, what @Bitcoin_BOy$ suggested too, a very good start. I did not know that there was such a convenient list of programs collected. If you are a service owner yourself, you may consider adding your service there!
legendary
Activity: 1288
Merit: 1000
January 12, 2017, 07:47:33 AM
#18
Let's make it clear. Maybe I didn't understand Op correctly. You found security flaw of bitcointalk and now you want to sell for money?
Or you were talking about some other generic exploit of other service? The best way is always telling the owner... even if you won't profit much from it.

If we are talking about bitcontalk then the best way IMO is sharing this bug with theymos -
you will be rewarded with special badge, visible above your avatar and will most likely receive positive trust rating from staff members.
Maybe there is even bounty for safely sharing a security flaws? I am not sure.
copper member
Activity: 1330
Merit: 899
🖤😏
January 11, 2017, 09:29:05 PM
#17
Obviously this OP doesn't want ethical lectures Smiley and just is asking where to sell, well if you can use the exploit to take an advantage then use it or if you trying to use it and know they might notice it, then don't bother to sell it at all because it doesn't worth anything and experts would know and will never pay anything for it.
If you think living by cheating and taking advantage over people is the way of human life, you thought wrong imo.
legendary
Activity: 1414
Merit: 1039
January 11, 2017, 09:03:14 PM
#16
It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.

Agreed. You get money and you still get known as a good person. Technically, according to moral laws of this forum (and I guess earth in general), following the rules will place you in a good spot. Weigh out the options right now. There are numerous things that could go wrong with selling the method to someone -- could get saturated, company could find out, the person could sell it to the company instead of you and take your credit. These things (and more) all factor in to what you should do. I think the best route is to tell the company itself.
sr. member
Activity: 868
Merit: 259
January 10, 2017, 01:04:56 AM
#15
It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.

This is the best route to go. Be of value to the world and dont be motivated to move because of a potential reward. If you really want to profit from your discovery then the darknet could be the perfect place for you. You can start looking around Alphabay and offer your warez there.
hero member
Activity: 2814
Merit: 911
Have Fun )@@( Stay Safe
January 09, 2017, 06:20:43 PM
#14
Just try to contact them and say that you can help them and that you have found an exploit, they will for sure give you something for it!.
Yes contacting the site and informing the site about the possible exploit is the best way to help them out rather and simply attracting would be hackers to the site and if the site do find it as a major find i am sure they will compensate you with a bounty without any doubt, why dont you try that path before starting a thread here,is it because you have not heard about bounty programs. Cheesy
member
Activity: 104
Merit: 10
January 09, 2017, 04:51:40 PM
#13
Just try to contact them and say that you can help them and that you have found an exploit, they will for sure give you something for it!.
hero member
Activity: 868
Merit: 535
January 09, 2017, 10:09:55 AM
#12
It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.
member
Activity: 90
Merit: 10
<<<<>>>>>><<<
January 08, 2017, 10:52:31 AM
#11
price???
pm me infos
member
Activity: 79
Merit: 10
January 04, 2017, 10:55:24 PM
#10
We live in a world where people kill for a few more years living under or on top of young girls having nice houses and cars drinking best beverages and eating good meals don't forget doing drugs and most importantly don't forget ISIS the terrorists Sad just make sure it doesn't end up in the wrong hands.

This is true, make a good decision, I think the idea about the exploit-db and giving them sometime is a good method to help them out and you will get rewarded by them most of the times.
hero member
Activity: 854
Merit: 503
|| Web developer ||
December 31, 2016, 01:36:22 PM
#9
There's a place in this forum for bugs and securities issues, You will find more information in this thread

https://bitcointalksearch.org/topic/overview-of-bug-bounty-programs-for-bitcoins-483195

Regards,
Bitcoin Boy.
hero member
Activity: 2926
Merit: 722
DGbet.fun - Crypto Sportsbook
December 31, 2016, 12:56:46 PM
#8
Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?
You cant tell if you choose the right person since people do have different minds and aims when it comes to money.I would rather choose to monetize that exploit to myself rather than selling it to someone and i could say that theres no people could be trusted on this forum. IMHO
hero member
Activity: 924
Merit: 506
December 30, 2016, 04:24:54 PM
#7
We live in a world where people kill for a few more years living under or on top of young girls having nice houses and cars drinking best beverages and eating good meals don't forget doing drugs and most importantly don't forget ISIS the terrorists Sad just make sure it doesn't end up in the wrong hands.
hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons
December 30, 2016, 04:18:32 PM
#6
-

Good idea, about giving them time to decide how much they would mind if I released it elsewhere!

I prefer to keep things in the ethical way as I look forward to earning my first certificate in this area very soon (the exam will be in next month) (:, but I have not signed any obligation yet so a slight color of darkness may not hurt until I draw attention in the professional line.

Actually, I am thinking of posting the idea of a small cybersecurity team or similar in BCT since I know that it would be helpful for the community and probably excellent fun opportunity too.

I was glad to see that You too were interested in this field. I look forward to discussing with You soon Smiley

Can I suggest something? just first use it widely for everyone to see the impacts and then you have your proof after that you could bargain about a deal with devs and demand a large amount to safeguard your future if it is something critical otherwise don't trust anyone with it at all costs.

Yeah, proving it is an issue too. I would have an easy method to prove it, but that actually includes the usage of the exploit itself (so obtaining full access to their product/DB), which I do not want to push them into panic with. Something like a whitepaper could look legit, but why would they even bother reading a wall of technical text without actual demonstration?
hero member
Activity: 588
Merit: 541
December 30, 2016, 03:55:23 PM
#5
Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?
Can I suggest something? just first use it widely for everyone to see the impacts and then you have your proof after that you could bargain about a deal with devs and demand a large amount to safeguard your future if it is something critical otherwise don't trust anyone with it at all costs.
newbie
Activity: 14
Merit: 0
December 30, 2016, 03:53:07 PM
#4
You should head over to here mate.

https://www.exploit-db.com/

I would also do a full disclosure to who ever made the code give them 30 days to fix it then release it on the DB. Unless they fix it..

You might also get a bug bounty from them if its serious enough.

I would really like to know a bit more about this. I do a lot of pen-testing and debugging, So this is right up my street!

It all depends on what color hat you dawn my friend! White, Black, Grey Smiley there are many places to sell exploits if you have the right contacts and access to the right markets.


hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons
December 30, 2016, 03:51:18 PM
#3
Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?
full member
Activity: 154
Merit: 100
December 30, 2016, 03:46:33 PM
#2
Sell it to 1 person on this forum?
hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons
December 30, 2016, 03:45:49 PM
#1
It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.
Jump to: