Here is the story. There is a private company, that has some software product that is used by thousands of its customers. After spending few sleepless nights on reverse engineering that product, I identified a critical flaw in it. The reason I explored this product was pure sport – reverse engineering is my hobby and nothing more.
But during my exploration I identified a very serious flaw that I did not expect. Exploiting it will mean extracting big money from the users of that software (customers of the company).
Now I’m not going to exercise that idea to steal money from other people, that’s way beyond my moral principles. Though somebody not really bound with such principles could make “big” money, permanently (for months or years), without trace.
I think it makes sense to mention, that this is the company that makes money when its customers lose money, basically. Imagine financial trading, money lending, gambling, etc. that type of industry. So nobody really “loves” them (incl. their customers), and they know it, and they’re ok with it.
I think it would be fair, that I could sell this vulnerability info to the company for a large sum, but I’m not sure how (if at all) this can be done. Just revealing the exploit to the public, even proving (without revealing the details) that such a vulnerability exists (and has always been existing!) would be a HUGE blow to the company, as they will probably lose big portion of the customers. Nevertheless, (and even considering that company makes millions of dollars per annum) I’m almost sure they won’t be willing to pay me anything unless I provide 100% proof.
The dilemma is – how to explain them the magnitude of that vulnerability, without disclosing hints about where to search for it. If I disclose the software product, and what kind of action contains what kind of vulnerability, I’m pretty sure they will try to investigate the particular possibility in a particular use-case, and eventually find the vulnerability themselves. On the other hand, if I’ll be vague (“I found something in one of your products, that can be used to steal money from your customers”), I’m pretty sure they won’t believe and won’t pay anything.
If I disclose the info to them without demanding anything, i.e. for a bona fide reward, I’m sure they won’t issue any reward. They’re just that kind of company – they don’t care about bona fide security researchers. They will fix it even without replying with a “thank you” mail.
Any kind of advice will be greatly appreciated. Is it not fair to expect some sort of payment from the company in such a situation? I’ve never dealt with such a situation before (as I mentioned, RCE is just a hobby for me).
“If you can prove it and they still will not pay, what will you do? The answer to that will determine if this is blackmail.”
I will not, under any circumstances:
- Use the exploit myself to benefit.
- Reveal the vulnerability details to the public (without giving opportunity to the company to fix it), so that other people can exploit it.
What I could do (and I’m still not sure whether this is a good or bad thing), is to tell public about the mere existence of such a vulnerability. Something like a video demonstrating that such thing is doable. As I mentioned, such an action would result in company losing many customers, but if they do not bother to care, if they say “we don’t want to pay for that info”, would it be morally wrong or right thing to do?
I don’t care about the company. They make millions by exploiting their customers, so they don’t deserve any respect from me. I did some work (spent some significant hours), and if the company wants to benefit from my work, it makes sense for them to pay for it, doesn’t it? OTOH, you might say that I have responsibility about their customers to warn/protect them, but I fail to understand why I am obliged to do it for free(?) I.e. even doctors don’t cure you unless they get paid, right? Medicine for cancer treatment cost big money, because somebody spent their life researching it and now demands/deserves to be paid. In this light, I don’t understand why some comments are hinting I should do this for free. Could you please elaborate, am I really wrong to seek financial benefit for my work?