Money talks
#1
So I found an SQL Injection vulnerability on a website with 500k avarage monthly views, the niche is news, their database is at high risk (such as 40k user e-mails, names and passowords, admin's uname and pswd, articles' title and content, etc). I wanted to know how much $ should I ask for as bug bounty?
Reply
#2
Do they have an open bug bounty program? If they don't you can't ask a price, and they might take legal action. Since they might take legal action anyway. Might as well dump the database and sell it on the darknet, or tell the admin you got their database and that you will release it unless they pay you X amount in BTC. Or just do both.
Reply
#3
Although this sounds more like ransom if there's no bug bounty. But I'm not going to stick my nose into it. We all have different intentions, I don't care much about the reasonings Smile But that being said, maybe something like: http://www.worthofweb.com/calculator/ can help you appraise it. Based on the website worth. Although it doesn't always turn out correct.
Reply
#4
umm, can they still take legal action even if one never disrupts their website's regular operation or release any information? Most websites(such as facebook, twitter, yahoo, google, etc) allow for pentesting as long as you test on your own account and/or not interfere with other users' experience.

@Insider, it says the website is valued at $2m and makes estimated $30k per month.
Reply
#5
(03-15-2017, 11:50 PM)FabC Wrote: umm, can they still take legal action even if one never disrupts their website's regular operation  or release any information? Most websites(such as facebook, twitter, yahoo, google, etc) allow for pentesting as long as you test on your own account and/or not interfere with other users' experience.  
 
@Insider, it says the website is valued at $2m and makes estimated $30k per month.

But are you reporting to Facebook, Twitter, Yahoo or Google? Often times, they probably won't pay you anything unless it's a ransom. Some websites may be thankful, but at the end of the day hacking is technically accessing unauthorized content in another system. Most companies don't like it when you quite literally steal their entire database, hacking can feel very intrusive, violating, scary, stressful, and shamed. Remember that hacking is still a punishable crime. It's not about whether we agree with it or not, but it's just how things are, unfortunately.

Do what you want. You can cover your tracks appropriately if you would like to. But even in the process of hiding your tracks, remember that mixing your BTC is in a way money laundering, which is another criminal offense, among other things. 

I honestly do not care about what you do but please just be prepared to take responsibility for your actions, and move carefully.

"He who knows when he can fight and when he cannot, will be victorious." - Sun Tzu

Spoiler: Also...(Show)
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - Sun Tzu

Move swiftly, silently, and elegantly.
Reply
#6
(03-16-2017, 01:42 AM)Cypher Wrote:
(03-15-2017, 11:50 PM)FabC Wrote: umm, can they still take legal action even if one never disrupts their website's regular operation  or release any information? Most websites(such as facebook, twitter, yahoo, google, etc) allow for pentesting as long as you test on your own account and/or not interfere with other users' experience.  
 
@Insider, it says the website is valued at $2m and makes estimated $30k per month.

But are you reporting to Facebook, Twitter, Yahoo or Google? Often times, they probably won't pay you anything unless it's a ransom. Some websites may be thankful, but at the end of the day hacking is technically accessing unauthorized content in another system. Most companies don't like it when you quite literally steal their entire database, hacking can make someone feel very intrusive, violating, scary, stressful, and shamed. Remember that hacking is still a punishable crime. It's not about whether we agree with it or not, but it's just how things are, unfortunately.

Do what you want. You can cover your tracks appropriately if you would like to. But even in the process of hiding your tracks, remember that mixing your BTC is in a way money laundering, which is another criminal offense, among other things. 

I honestly do not care about what you do but please just be prepared to take responsibility for your actions, and move carefully.

"He who knows when he can fight and when he cannot, will be victorious." - Sun Tzu

Spoiler: Also...(Show)
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - Sun Tzu

Move swiftly, silently, and elegantly.

Cypher nailed it.

Bug bounties are only generally done by large corporations. I know you breached it. Generally... if they don't have a disclosure program, or a program of some sort, and you penetrated, you're on the wrong side of the law.

I doubt, if you contacted them, you'd get a payoff. Most likely a court summons. Do what you will. Be careful out there.
Reply
#7
-___-

This is a very useless discussion...

@Fabc

Your "sqli" isnt shit until youve dumped it.
Kep in mind the fact there maybe many problems when dumping. such as encrypted DB, exhausting your requests, admin taking down rest of db...which has ben the case plenty of times when I was nearly done-or-starting dumping...

Dont rely on whitehat methods to make money, Ive been making money for over 6 years successfully as a blackhat.
Manyblackhat sites are now shit or dead. my only connection to other blackhats is jabber (and of course them beingmy personal customers to DB's and specific Db content for yeaaaars)
That said you need a rough estimate POST the name of the site, because upon its details posted here it sounds very low quality....
Reply