How do I sell critical vulnerability info to private company?

Here is the story. There is a private company, that has some software product that is used by thousands of its customers. After spending few sleepless nights on reverse engineering that product, I identified a critical flaw in it. The reason I explored this product was pure sport – reverse engineering is my hobby and nothing more.

But during my exploration I identified a very serious flaw that I did not expect. Exploiting it will mean extracting big money from the users of that software (customers of the company).

Now I’m not going to exercise that idea to steal money from other people, that’s way beyond my moral principles. Though somebody not really bound with such principles could make “big” money, permanently (for months or years), without trace.

I think it makes sense to mention, that this is the company that makes money when its customers lose money, basically. Imagine financial trading, money lending, gambling, etc. that type of industry. So nobody really “loves” them (incl. their customers), and they know it, and they’re ok with it.

I think it would be fair, that I could sell this vulnerability info to the company for a large sum, but I’m not sure how (if at all) this can be done. Just revealing the exploit to the public, even proving (without revealing the details) that such a vulnerability exists (and has always been existing!) would be a HUGE blow to the company, as they will probably lose big portion of the customers. Nevertheless, (and even considering that company makes millions of dollars per annum) I’m almost sure they won’t be willing to pay me anything unless I provide 100% proof.

The dilemma is – how to explain them the magnitude of that vulnerability, without disclosing hints about where to search for it. If I disclose the software product, and what kind of action contains what kind of vulnerability, I’m pretty sure they will try to investigate the particular possibility in a particular use-case, and eventually find the vulnerability themselves. On the other hand, if I’ll be vague (“I found something in one of your products, that can be used to steal money from your customers”), I’m pretty sure they won’t believe and won’t pay anything.

If I disclose the info to them without demanding anything, i.e. for a bona fide reward, I’m sure they won’t issue any reward. They’re just that kind of company – they don’t care about bona fide security researchers. They will fix it even without replying with a “thank you” mail.

Any kind of advice will be greatly appreciated. Is it not fair to expect some sort of payment from the company in such a situation? I’ve never dealt with such a situation before (as I mentioned, RCE is just a hobby for me).

EDIT/CLARIFICATION:

“If you can prove it and they still will not pay, what will you do? The answer to that will determine if this is blackmail.”

I will not, under any circumstances:

  • Use the exploit myself to benefit.
  • Reveal the vulnerability details to the public (without giving opportunity to the company to fix it), so that other people can exploit it.

What I could do (and I’m still not sure whether this is a good or bad thing), is to tell public about the mere existence of such a vulnerability. Something like a video demonstrating that such thing is doable. As I mentioned, such an action would result in company losing many customers, but if they do not bother to care, if they say “we don’t want to pay for that info”, would it be morally wrong or right thing to do?

I don’t care about the company. They make millions by exploiting their customers, so they don’t deserve any respect from me. I did some work (spent some significant hours), and if the company wants to benefit from my work, it makes sense for them to pay for it, doesn’t it? OTOH, you might say that I have responsibility about their customers to warn/protect them, but I fail to understand why I am obliged to do it for free(?) I.e. even doctors don’t cure you unless they get paid, right? Medicine for cancer treatment cost big money, because somebody spent their life researching it and now demands/deserves to be paid. In this light, I don’t understand why some comments are hinting I should do this for free. Could you please elaborate, am I really wrong to seek financial benefit for my work?

Does an savethrow-type attack cause critical damage for an unconscious creature? [duplicate]

This question already has an answer here:

  • What counts as an attack? 1 answer

The unconscious state description says

Any attack that hits the creature is a critical hit if the attacker is within 5 feet of the creature.

Situation

Target creature is unconscious. Attacker stands in 5 feet near it. Attacker attack the target creature with savethrow-type attack of any kind. Frostbite cantrip for example.

Question

Does this attack cause critical hit?

Is the Spell Bombardment additional damage die subject to critical hit dice doubling?

Level 18 Wild Magic sorcerers have the following feature (PHB, p. 103):

Spell Bombardment

Beginning at 18th level, when you roll damage for a spell and roll the highest number possible on any of the dice, choose one of those dice, roll it again and add that roll to the damage. You can use the feature only once per turn.

When you score a critical hit with an attack (even a spell attack), you double the amount of dice you roll.

Does the additional damage die from Spell Bombardment also get rolled twice on a critical hit?

SharePoint custom list Critical Error

I’ve been researching on the web for quite some time now, and while others have reported the similar error message *”A Microsoft SharePoint Server State Service error occurred while processing your request. For more information, contact your server farm administrator.

Click Start over to load a new copy of the form. If this error persists, contact the support team for the Web site.Click Close to exit this message.”*

The solutions seem to be that there is a look up choice field or a data connection that has gone awry. This form was working fine until a day or so ago, and there are no data connections – only the one for the submit (which is correct – I’ve checked it) and the choices data field which is built into the form – it doesn’t go anywhere to get the choices they are manually added to the field itself.

The thing is, once you fill in the form and hit submit, it will “sending data to the server” for the prescribed time out period, then ‘fail’ with the message above – however the data is submitted to the library and the workflows fire as normal.

Correlation ID returns nothing except
Request URL: …/org/par/as/_layouts/15/Postback.FormServer.aspx and when I network trace, it’s giving me a 401 / Unauthorized… but it’s been working before and none of the logs I can find make mention of which account is unauthorized. I’ve checked the WFE and the SQL.. nada.

The only server changes I know of are a WFE reboot..

Was hoping for some ideas from the community before I rebuild…

thanks!

Does the reduce option from the enlarge/reduce spell have critical hit damge doubled?

The rule for critical hits states:

When you score a critical hit, you get to roll extra dice for the attack’s damage against the target. Roll all of the attack’s damage dice twice and add them together. Then add any relevant modifiers as normal. To speed up play, you can roll all the damage dice at once. For example, if you score a critical hit with a dagger, roll 2d4 for the damage, rather than 1d4, and then add your relevant ability modifier. If the attack involves other damage dice, such as from the rogue’s Sneak Attack feature, you roll those dice twice as well.

So I would expect that, if a character were enlarged via the Enlarge/Reduce spell, that they’d roll an extra 2d4 damage on a critical hit.

Does that mean though, if they score a critical hit while reduced in size by the same spell, they roll 2d4 and subtract that value from the damage that is dealt?

Does the Temple of the Gods spell nullify critical hits?

I am already aware of this other question “Can a Lore bard’s Cutting Words feature cancel a critical hit?” And do not believe it answers my question as this spell specifically mentions the d20.

The Temple of the Gods spell description states:

Whenever it makes an attack roll, an ability check, or a saving throw inside the temple, it must roll a d4 and subtract the number rolled from the d20 roll.

Can this ability change critical hits into normal hits or even misses?

Would getting a natural 20 with a penalty still count as a critical hit?

Since rolling a number up to 20 with modifiers (an example 17 + 3) is not counted as a critical hit, what happens in the following case?

If I roll a natural 20 and because of penalties end up with a total of less than 20 (an example 20 – 3) does it still count as a critical hit? Or in this case would it resemble the natural 1 with positive modifiers taking you out of critical error?