0

Long story short, I found an easily reproducible, very easy, and honestly embarrassing exploit on a major (yes, major) financial institution's online banking site today. It's not directly tied to banking per se, but to a "secure" messaging system where banking details would very likely be shared.

The issue is basically authentication bypass. With the exploit I can easily log into any account (so it seems, I've tried a few) and read secure messages between the user and various bank departments, and I've verified this across multiple of my own computers in incognito browser windows.

I would like to report the issue, and while I'm sincerely not looking to "cash in" I was curious if it's typical to inquire about some sort of bounty. I'm a person of high integrity and of course have no malicious intent.

I will not share specific details about the exploit or the target site. Looking for advice on how to proceed notifying the company and ensure that they take it seriously.

trnelson
  • 101
  • 1
  • 2
    Your intent is irrelevant. This can be construed as blackmail and end in prosecuting you. There was another question that this is almost a duplicate of, but I cannot find it right now. – Deer Hunter Nov 07 '15 at 04:56
  • Companies like tippingpoint.com offer bug bounties and will protect your identity (to some degree). I'm not sure what qualifies as a valuable bug to them but maybe that will work for you. They have a very responsible disclosure process and are owned by HP so you know your not selling your vulnerability to Russian hackers or something. – Neil Smithline Nov 07 '15 at 05:48
  • 1
    @DeerHunter Was this the question perhaps? http://security.stackexchange.com/questions/13760/found-huge-bug-what-should-i-do/13762#13762 – Scott C Wilson Nov 07 '15 at 12:59
  • No worries, thanks for your suggestions. I have gone ahead and contacted the company with vague details about the problem asking for contact back. Like I said, I'm really not looking for a bounty, but was more inquiring if companies generally have one, even if not advertised. Upon further reading, it seems like they generally don't. Of course, because I'm a customer of this institution, I want the problem fixed and I have no intention of leaving them as a customer. – trnelson Nov 07 '15 at 13:36

0 Answers0