Dumb Question : If I found a security flaw with a major bitcoin company ..

[paraipan]

No Reply to the first or second attempt. 

There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

[SgtSpike]

Fuck the law, if you live in another country just grab the damn coins!

Wow, you definitely make it on to my "do not trust, ever" list.

[Isokivi]

Fuck the law, if you live in another country just grab the damn coins!

Wow, you definitely make it on to my "do not trust, ever" list.

I also felt the urge to give that ignore button a go, dispicable.

[rebuilder]

There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.

[Matthew N. Wright]

There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.

Indeed.

1.  I will not steal or publish the results.   

I had a few hundred coins stolen from me 2 years ago,  at today's prices it would be $20,946.88
I do not wish that to happen to anyone ever.

2.  I attempted for a second time to inform the company,  no response yet.  When it comes in I will let you guys know what I found and how the exploit happened... that's after giving the owners time to correct the problem.

I got blasted via private message on bitcointalk for not publishing the exploit and stealing coins.

I hope that a few years from now if I was on the other side of the table people would handle it like this rather than freaking stealing coins.   If people were Honourable they would reward this type of behaviour rather than sending private messages like that... 

Remember a few years back I called you because your site dropped off the internet and i wanted to see if you were okay?

Well, now I know. You're okay. 

[Insu Dra]

If they keep ignoring you there is only one way, give them a ultimatum.

Tell them to fix the problem within a set time frame if they don't respond or fix the problem you will share the info with the public. Put this ultimatum up in a public place, name them and wait for response ...

if they don't fix it or ignore you disclose the info. If they sew you have the right to inform people about possible threads to there well being. (unless you had to break it to there systems to get the info)

speaking from experience it usually doesn't get that far

[the founder]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

[Matthew N. Wright]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

[the founder]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

Trust me it's a widely used service,  but the exploit only shows a limited number of coins...  there's an easy fix to this.   

This is not a problem that would destabilize bitcoin... it's the type of flaw that could get media writing though.. which is what I am trying to prevent.

Bitcoin has a 850 million dollar economy,  we're talking about at most a few thousand dollars worth of exploit...  it's something that should be fixed... but it's not something crazy like millions of dollars.



 

[MysteryMiner]

Fuck the law, if you live in another country just grab the damn coins!

Wow, you definitely make it on to my "do not trust, ever" list.

One thing is exploiting flaws in computer systems, another thing is exploiting social trust of people. I never exploited trading or other forms of commerce where some degree of trust is essential. In long run it will make some forms of e-trade impossible and will hurt my goals in long term. Contrary exploiting flaws in computer security improves overall security in long term. Without such activities internet would be insecure, censored and boring place. But I used social engineering to get payload into losers computers or phish passwords. But this is more technical than exploiting pure trust. Everyone with slight knowledge will notice wrong URL or different checksums.

I will give OP idea - if trying to crash market, announce here that it is MtGox and post receiving address here and say you will transfer there n amount of coins from MtGox. Then transfer coins from your MtGox account to the address afterwards. No exploit involved but many would believe in that and start sell sell sell

[tysat]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Hmm.. Not responding to emails, only holds a hundred coins... sounds like a bitgem ripoff site or gambling site to me.

Sounds like it's not a major bitcoin company...

[the founder]

Fuck the law, if you live in another country just grab the damn coins!

Wow, you definitely make it on to my "do not trust, ever" list.

One thing is exploiting flaws in computer systems, another thing is exploiting social trust of people. I never exploited trading or other forms of commerce where some degree of trust is essential. In long run it will make some forms of e-trade impossible and will hurt my goals in long term. Contrary exploiting flaws in computer security improves overall security in long term. Without such activities internet would be insecure, censored and boring place. But I used social engineering to get payload into losers computers or phish passwords. But this is more technical than exploiting pure trust. Everyone will slight knowledge will notice wrong URL or different checksums.

I will give OP idea - if trying to crash market, announce here that it it MtGox and post receiving address here and say you will transfer there n amount of coins from MtGox. Then transfer coins from your MtGox account to the address afterwards. No exploit involved but many would believe in that and start sell sell sell

IT'S NOT THAT BIG OF A FLAW TO CRASH ANY MARKET! 

It's a major bitcoin company... but the exploit isn't freaking stealing their whole wallet, just some people that utilize it.

[paraipan]

There is no issue if you disclose their name publicly. They could be pointed to this thread, or contacted by other means and people, if we know who they are.

If the flaw is truly boneheaded, disclosing the name might be risky.

How does a bitcoin business manage to amass hundreds of coins with an obvious flaw in their system? Does not compute!



@the founder disclose the name please, or PM a bitcointalk staff member that can assist you further.

[Matthew N. Wright]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them)
Grab the coins and email them and telling them you did it to prevent a not so honest person do the same..

I'm sure when they see the issue, they'll understand.

What about taking the coins then sending them to a known address of the company or company's owner. That might work.

[MysteryMiner]

I remember one guy who discovered flaw in university system, notified about it the responsible persons and got kicked out afterwards. If he would not be such white knight on donkey and instead anonymously vandalized the database and then leaked it on piratebay, no one would know who did it.

It really was bad idea to contact the owners about exploit.

[paraipan]

...
Sounds like it's not a major bitcoin company...

Seems so...

[Zangelbert Bingledack]

The flaw is idiot level.  It's something that I assume was explored,  methods against it were conceived and mostly implemented and someone forgot to upload it.

It had to have been something like that.

Good news though we're talking about at most a hundred coins..  Not thousands

Send them an email, tell them that you will take the coins so they are safe and no one else steal them (if someone else steal the coins, you'll be on the hook for it since you contacted them)
Grab the coins and email them and telling them you did it to prevent a not so honest person do the same..

I'm sure when they see the issue, they'll understand.

Like noticing someone dropped their wallet, picking it up and handing it back to them?

[Energizer]

Do not publish the bug. And do not exploit it. Keep trying to reach them. Usually it takes some time for your email to reach the right person within the company. Do not rush and do not take any action to be blamed about in the future.

[the founder]

THEY RESPONDED

[paraipan]

THEY RESPONDED

Lol, so you were trolling.