Author Topic: Website Vulnerability Reward Programs, and Bug Bounties  (Read 550 times)

El Cheapo

  • 5 O'Clock Shadow
  • *
  • Posts: 9
Website Vulnerability Reward Programs, and Bug Bounties
« on: November 26, 2019, 02:37:57 PM »
Many large companies pay out rewards for reporting website vulnerabilities.  I've discovered a way to defeat the subscription paywall on all the major news media websites - ny times, la times, wapo, etc...  While not necessarily a 'security' vulnerability, it is a website bug, and it's costing them revenue.  None of them have a published policy that I know of, but I feel like this falls into the category of "reward worthy". 

Does anyone have experience with these types of programs?  Any tips on how to go about contacting a company about the issue without feeling/sounding like some kind of racketeer?  Is this an 'unethical' way to make money?

ditheca

  • Bristles
  • ***
  • Posts: 257
  • Age: 36
  • Location: ST GEORGE, UT
Re: Website Vulnerability Reward Programs, and Bug Bounties
« Reply #1 on: November 26, 2019, 03:18:48 PM »
So... you are a black hat now?  Don't be on the wrong side of a free and open internet! /s

Major internet publishers would have to be staggeringly oblivious to not be aware of many methods of bypassing their paywalls.  The fact that the 'vulnerabilities' persist suggests that it is either uneconomical or otherwise undesirable to fix them.

Bug bounties are for security exploits that might make the company vulnerable to a lawsuit.  I doubt any organization would find your discovery "reward worthy."

bbqbonelesswing

  • 5 O'Clock Shadow
  • *
  • Posts: 75
  • Age: 28
  • Location: Philly
Re: Website Vulnerability Reward Programs, and Bug Bounties
« Reply #2 on: November 27, 2019, 09:07:11 AM »
Check out HackerOne and see if any of those companies have an active bounty program:

https://www.hackerone.com/

It is quite common these days to pay out for bugs. If you reach out to these organizations they should point you in the right direction.

pk_aeryn

  • Stubble
  • **
  • Posts: 154
Re: Website Vulnerability Reward Programs, and Bug Bounties
« Reply #3 on: November 28, 2019, 02:22:07 PM »
Lots of people know how to get around paywalls - they’re just counting on MOST people not being smart enough or care enough to do it.

My job also requires me to monitor a public facing email address.  We get a lot of marketing spam “we can help you with your SEO, we have found ways to improve your website”. They’re BS and they get deleted immediately.