• @ganksy
    link
    English
    2010 months ago

    Do they directly show(sell maybe) the exploits to the companies?

    • Uriel238 [all pronouns]
      link
      fedilink
      English
      4210 months ago

      White hats can be prosecuted via the CFAA. they usually aren’t (most of us are guilty of CFAA penalties) but some companies got sour to fixing their web security and instead would sue and push to prosecute.

      So in the early 2010s the white hat community went gray to survive. And companies that don’t pay their bounties oe cause trouble don’t get pen tested by white hats (at least not when wearing a white hat).

      • @[email protected]
        link
        fedilink
        English
        510 months ago

        How do you know if a company is going to pay to fix?

        Do you just have to take a chance and notify them?

        Either I make a bunch of money, or they say fuck off, or they send me to jail? It seems too iffy

        • @aksdb
          link
          English
          210 months ago

          I assume the idea is, that the company then has a contract with the hacker, so they can no longer sue him. They essentially hack themselves via proxy.

        • @[email protected]
          link
          fedilink
          English
          110 months ago

          Bounties are a bit nebulous.

          Actual pen testing companies have red teams (attackers) that have a scope of what they are allowed to target, and how they go about it.

          For example, just because a red teamer can get into the data center to do stuff locally doesn’t meet the scope requirement of testing their web page externally. They would be prosecuted most likely.

          Pen testing companies also have lawyers, at least they should, who help negotiate scope and what is legally allowed and in what context.

          Due to the secrecy needed for some tests, the security staff may not be aware a test is in place. From what I understand, generally people have some sort of paperwork on their person, or at least the contact information of someone at the company with the authority to authorize this red team pen test.

          That being said, cops may still get called, you may still get arrested, and have to deal with the courts.

          Or worse, some trigger happy security guard shoots you.

          I’m just studying that stuff though at the moment, so take what I said with a grain of salt.

      • @ganksy
        link
        English
        410 months ago

        Thank you! I appreciate the insight.

    • @[email protected]
      link
      fedilink
      English
      29
      edit-2
      10 months ago

      Thats what white hats would do and what these contests are usually for

      But its more like a bughunt with an open Bounty then selling afaik