0

Here is the story. There is a private company, that has some software product that is used by thousands of its customers. After spending few sleepless nights on reverse engineering that product, I identified a critical flaw in it. The reason I explored this product was pure sport - reverse engineering is my hobby and nothing more.

But during my exploration I identified a very serious flaw that I did not expect. Exploiting it will mean extracting big money from the users of that software (customers of the company).

Now I'm not going to exercise that idea to steal money from other people, that's way beyond my moral principles. Though somebody not really bound with such principles could make "big" money, permanently (for months or years), without trace.

I think it makes sense to mention, that this is the company that makes money when its customers lose money, basically. Imagine financial trading, money lending, gambling, etc. that type of industry. So nobody really "loves" them (incl. their customers), and they know it, and they're ok with it.

I think it would be fair, that I could sell this vulnerability info to the company for a large sum, but I'm not sure how (if at all) this can be done. Just revealing the exploit to the public, even proving (without revealing the details) that such a vulnerability exists (and has always been existing!) would be a HUGE blow to the company, as they will probably lose big portion of the customers. Nevertheless, (and even considering that company makes millions of dollars per annum) I'm almost sure they won't be willing to pay me anything unless I provide 100% proof.

The dilemma is - how to explain them the magnitude of that vulnerability, without disclosing hints about where to search for it. If I disclose the software product, and what kind of action contains what kind of vulnerability, I'm pretty sure they will try to investigate the particular possibility in a particular use-case, and eventually find the vulnerability themselves. On the other hand, if I'll be vague ("I found something in one of your products, that can be used to steal money from your customers"), I'm pretty sure they won't believe and won't pay anything.

If I disclose the info to them without demanding anything, i.e. for a bona fide reward, I'm sure they won't issue any reward. They're just that kind of company - they don't care about bona fide security researchers. They will fix it even without replying with a "thank you" mail.

Any kind of advice will be greatly appreciated. Is it not fair to expect some sort of payment from the company in such a situation? I've never dealt with such a situation before (as I mentioned, RCE is just a hobby for me).

EDIT/CLARIFICATION:

"If you can prove it and they still will not pay, what will you do? The answer to that will determine if this is blackmail."

I will not, under any circumstances:

  • Use the exploit myself to benefit.
  • Reveal the vulnerability details to the public (without giving opportunity to the company to fix it), so that other people can exploit it.

What I could do (and I'm still not sure whether this is a good or bad thing), is to tell public about the mere existence of such a vulnerability. Something like a video demonstrating that such thing is doable. As I mentioned, such an action would result in company losing many customers, but if they do not bother to care, if they say "we don't want to pay for that info", would it be morally wrong or right thing to do?

I don't care about the company. They make millions by exploiting their customers, so they don't deserve any respect from me. I did some work (spent some significant hours), and if the company wants to benefit from my work, it makes sense for them to pay for it, doesn't it? OTOH, you might say that I have responsibility about their customers to warn/protect them, but I fail to understand why I am obliged to do it for free(?) I.e. even doctors don't cure you unless they get paid, right? Medicine for cancer treatment cost big money, because somebody spent their life researching it and now demands/deserves to be paid. In this light, I don't understand why some comments are hinting I should do this for free. Could you please elaborate, am I really wrong to seek financial benefit for my work?

peterh
  • 2,958
  • 6
  • 26
  • 32
Titan
  • 117
  • 2
  • 5
    Sorry, but questions about [blackmail](https://en.wikipedia.org/wiki/Blackmail) are off-topic for this site. – browly Oct 11 '19 at 22:50
  • 1
    @browly, I don't really think "blackmail" is the relevant word in this case. Is it morally wrong to sell vulnerability info to the private company? I'm not planning to "blackmail" them, i.e. I'm not planning to tell them "If you don't pay, I'll do this or that". If that's what you mean. Definitely I'm not going to threaten them to release the info to the public, even if they don't pay. – Titan Oct 11 '19 at 22:59
  • 4
    The "I think it would be fair,,," paragraph and its context really does look like you are considering a blackmail situation. Combined with your desire to prove the vuln without actually disclosing it so that you can get paid *first* adds to this notion. If that's not what you meant, then you could edit your question. If fact, that paragraph and the ones before it can be removed without affecting your question. Let me ask: if you can prove it and they still will not pay, what will you do? The answer to that will determine if this is blackmail. – schroeder Oct 12 '19 at 07:26
  • 4
    You want to know how to get paid for finding a bug when the company does not have a bug bounty program. The seriousness of the bug and the reputation of the company really doesn't matter. – schroeder Oct 12 '19 at 07:31
  • 1
    Relevant links: https://security.stackexchange.com/questions/172466/is-demanding-a-donation-before-disclosing-vulnerabilities-black-hat-behavior and https://security.stackexchange.com/questions/52/how-to-disclose-a-security-vulnerability-in-an-ethical-fashion and https://security.stackexchange.com/questions/203521/how-to-proceed-with-a-white-hat-hacker-claiming-a-vulnerability – schroeder Oct 12 '19 at 07:37
  • 5
    "If they won't pay me, I'll keep this knowledge to myself and put the public at risk" -- I think you are still stepping over into unethical territory. You have not been asked to do this work, so you have no expectation to be paid. Now that you have this knowledge, you are responsible for it. And you are trying to justify allowing others to be harmed because you want to be paid for something you were not asked to do. Should they reward you? Sure. Are they obligated to? Certainly not. – schroeder Oct 12 '19 at 10:05
  • Thanks for editing your question to make it more about security researcher ethics. It is closer to being on-topic, but now it is also a duplicate of [Is demanding a "donation" before disclosing](/questions/172466/is-demanding-a-donation-before-disclosing-vulnerabilities-black-hat-behavior), which was closed for being "primarily opinion-based". It seems questions about ethics, morality, and law are [off-topic for all Stack Exchange sites](https://meta.stackoverflow.com/a/375176). I suggest you take this question to the chat. – browly Oct 15 '19 at 16:22
  • 2
    As far as doctors not treating people without payment... All medical professionals in the US and many other places are required to save lives without regard to cost. Even bystanders are expected to provide emergency care if they're able. -- The reason why we're appalled is, this is like asking a doctor "hey, there's someone bleeding on my sidewalk. How do I bill them for giving them a bandage?" – Ghedipunk Oct 15 '19 at 19:41
  • 1
    I agree with Schroder and Ghedipunk; if you are approaching this from the standpoint of "I did a bunch of work un-asked, I deserve payment", you are essentially starting from a false premise. You decided to spend your time working on this, and until you give the full information to the company, you have in fact provided no benefit to them. Go through the responsible disclosure process, and you can at least use the eventual public disclosure as a value-add for your resume, which is all you "deserve". – Angelo Schilling Oct 15 '19 at 21:06

2 Answers2

9

Responsible disclosure, which most people on this site seem to endorse (including me), and is regarded as the most ethical way to notify a company of a vulnerability, is precisely what your comment says you won't do: Saying that you will tell the public.

With responsible disclosure, you're just giving them a chance to plug the hole and manage PR first, by giving them a reasonable deadline.

You may not have any loyalty to this company, but its customers deserve to be protected from the exploit based on basic human dignity. If you stay quiet, someone else with a shakier moral or ethical compass than you will find and exploit it. If you just shout it from the mountaintops today, several people with no ethics will rush to exploit it as much as possible before the company is able to engineer a fix. If you let them know and don't give them a deadline, then the company may not patch the vulnerability, and someone with fewer ethics than you will eventually find the hole.

If they have a bug bounty program, then great. Follow that and you'll be paid for your efforts. If not, then after you have told the company everything for them to fix their vulnerability, and after you have agreed to a reasonable deadline, you can ask if they have a bug bounty program... but make it clear that following the responsible disclosure deadlines has nothing to do with whether you would be paid or not. Don't just ask for money up front, because this can be very quickly construed as blackmail and, depending on jurisdictions, may require you to get a lawyer very quickly.

That is, you can not sell this information without risking serious legal trouble. You can give it away for free and accept a reward if one is offered.

Be careful, as some companies can be overly litigious when people reveal that they have found vulnerabilities. If you are in doubt, seek the personal advice of people who have done responsible disclosure of this type before. Security researchers who have published peer reviewed papers and talks may be the best bet to help you out here.

Ghedipunk
  • 5,935
  • 2
  • 23
  • 34
-1

This is how you can benefit to each other:

  • You can give them the details of the hole
  • They can give you a lot of money

This is how you can harm each other:

  • You can publicize the hole, or exploit it for yourself
  • They can initiate a legal case against you

Check this. It is actually a clear Prisoner's Dilemma situation.

The sad truth is, that in such a case, both players will defect, i.e. they will do worst (for the other player), despite that it will be worser for both of them, as if they would cooperate.

With other words, thinking in your current frame, don't count with that the company pays to you anything. If they play as it is optimal for them, that will mean that they will initiate legal channels against you, do you publicize (or exploit) their sechole or not, and to consider that, you don't even need to dig into their psychology. It is enough if you consider that they will do, what is the best for them. It has a mathematical proof, an enough strong mathematical proof to get the Nobel Prize for Economics in 1994.

The essence of this result is, although cooperation would be better for both of you, not this will happen. Non-cooperativity and total fight is clearly wired into the current playground.

The fact that they are not a "nice" company, thus probably not fair players, only worsers this situation.

The optimal for the company if they thank you the hole, and then they don't pay.

Thinking only in this system, you have no way change it.

What you can do: you can try to change the tables of the players. I.e. you need to think in a frame where the benefit matrix for cooperativity/non-cooperativity is different.

If you can afford it, you can, for example, inject third player(s) in the system. The most reasonable option is to communicate with them through a lawyer.

On the legal system,

  • If you found a sechole, but you did not exploit it, you are (mostly) innocent,
  • But for making work for them, you are allowed to ask money for that.

Of course they can reject your offer, but in this case you are not obligated to reveal the details of their sechole to them. However, you are still not allowed to exploit it (and probably you are also not allowed to publicize it).

The lawyer could mediate a contract between you. The lawyers have typically no idea about the mathematical game theory, but they are doing it actually very well in practice.

You can have also some other options. The important thing is, that somehow you need to change the playground, before you start to play! Because the current playground clearly shows, that you will publicize/exploit the sechole, and they will start a legal case against you without paying.

peterh
  • 2,958
  • 6
  • 26
  • 32
  • 1
    Dear downvoters, some improvement suggestions would be really appreciated. – peterh Oct 15 '19 at 23:10
  • "Prisonder's Dilemma" requires that the parties can't communicate with each other, will not have later opportunities to reward or punish the other, and their reputation will not be affected. – browly Oct 18 '19 at 22:38
  • @browly Not the communication is closed out. What is closed out: they can't make an agreement forcing the other for anything. If the prisoners could communicate, and they could agree that neither will defect, how could be they sure that the other won't cheat him? The more wide criterium is, that they can't make an agreement enforcing the other. – peterh Oct 18 '19 at 23:20