I found an exploit. Where to sell?

[PremiumCodeX]

It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

[1713583722]

1713583722

[1713583722]

1713583722

[poesjesvanger]

Sell it to 1 person on this forum?

[PremiumCodeX]

Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?

[UGMZ]

You should head over to here mate.

https://www.exploit-db.com/

I would also do a full disclosure to who ever made the code give them 30 days to fix it then release it on the DB. Unless they fix it..

You might also get a bug bounty from them if its serious enough.

I would really like to know a bit more about this. I do a lot of pen-testing and debugging, So this is right up my street!

It all depends on what color hat you dawn my friend! White, Black, Grey there are many places to sell exploits if you have the right contacts and access to the right markets.

[freebutcaged]

Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?

Can I suggest something? just first use it widely for everyone to see the impacts and then you have your proof after that you could bargain about a deal with devs and demand a large amount to safeguard your future if it is something critical otherwise don't trust anyone with it at all costs.

[PremiumCodeX]

-

Good idea, about giving them time to decide how much they would mind if I released it elsewhere!

I prefer to keep things in the ethical way as I look forward to earning my first certificate in this area very soon (the exam will be in next month) (:, but I have not signed any obligation yet so a slight color of darkness may not hurt until I draw attention in the professional line.

Actually, I am thinking of posting the idea of a small cybersecurity team or similar in BCT since I know that it would be helpful for the community and probably excellent fun opportunity too.

I was glad to see that You too were interested in this field. I look forward to discussing with You soon

Can I suggest something? just first use it widely for everyone to see the impacts and then you have your proof after that you could bargain about a deal with devs and demand a large amount to safeguard your future if it is something critical otherwise don't trust anyone with it at all costs.

Yeah, proving it is an issue too. I would have an easy method to prove it, but that actually includes the usage of the exploit itself (so obtaining full access to their product/DB), which I do not want to push them into panic with. Something like a whitepaper could look legit, but why would they even bother reading a wall of technical text without actual demonstration?

[ImHash]

We live in a world where people kill for a few more years living under or on top of young girls having nice houses and cars drinking best beverages and eating good meals don't forget doing drugs and most importantly don't forget ISIS the terrorists just make sure it doesn't end up in the wrong hands.

[carlfebz2]

Sell it to 1 person on this forum?

Yes, I could sell it to someone who I keep trusted and think that he would use it only within certain limits (without causing harm to others) for his own education, but can I truly trust someone with this?

You cant tell if you choose the right person since people do have different minds and aims when it comes to money.I would rather choose to monetize that exploit to myself rather than selling it to someone and i could say that theres no people could be trusted on this forum. IMHO

[Bitcoin_BOy$]

There's a place in this forum for bugs and securities issues, You will find more information in this thread

https://bitcointalk.org/index.php?topic=483195.0

Regards,
Bitcoin Boy.

[ErikSneijer]

We live in a world where people kill for a few more years living under or on top of young girls having nice houses and cars drinking best beverages and eating good meals don't forget doing drugs and most importantly don't forget ISIS the terrorists just make sure it doesn't end up in the wrong hands.

This is true, make a good decision, I think the idea about the exploit-db and giving them sometime is a good method to help them out and you will get rewarded by them most of the times.

[maybach1980]

price???
pm me infos

[Qartersa]

It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.

[Viakor]

Just try to contact them and say that you can help them and that you have found an exploit, they will for sure give you something for it!.

[eaLiTy]

Just try to contact them and say that you can help them and that you have found an exploit, they will for sure give you something for it!.

Yes contacting the site and informing the site about the possible exploit is the best way to help them out rather and simply attracting would be hackers to the site and if the site do find it as a major find i am sure they will compensate you with a bounty without any doubt, why dont you try that path before starting a thread here,is it because you have not heard about bounty programs.

[pinkflower]

It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.

This is the best route to go. Be of value to the world and dont be motivated to move because of a potential reward. If you really want to profit from your discovery then the darknet could be the perfect place for you. You can start looking around Alphabay and offer your warez there.

[player514]

It is NOT that I want to sell the exploit itself in this forum. Let us say, I found an exploit in a library that alot of crypto products use and cannot handle in their code. Again, I do not want to destroy them by selling what I found itself.

So, what are my options to HELP people with this knowledge AND still make PROFIT?

I have my doubts that releasing a public thread about it would mean any help and reporting it individually may not reach the desired impact especially if the developers have less sophisticated English communication skills and the discussion ends up in confusion as I experienced a few times in the past.

Maybe sell it to the owners of that code and make a profit. You would be an ethical hacker as well as a savior in their eyes as well as the world (or at least in the eyes of the owner of the code and its users). Instead of selling it to exploit and cause damage to the owner, I would recommend to go with my suggestion. It would be a battle of good and evil for you my friend.

Agreed. You get money and you still get known as a good person. Technically, according to moral laws of this forum (and I guess earth in general), following the rules will place you in a good spot. Weigh out the options right now. There are numerous things that could go wrong with selling the method to someone -- could get saturated, company could find out, the person could sell it to the company instead of you and take your credit. These things (and more) all factor in to what you should do. I think the best route is to tell the company itself.

[digaran]

Obviously this OP doesn't want ethical lectures and just is asking where to sell, well if you can use the exploit to take an advantage then use it or if you trying to use it and know they might notice it, then don't bother to sell it at all because it doesn't worth anything and experts would know and will never pay anything for it.
If you think living by cheating and taking advantage over people is the way of human life, you thought wrong imo.

[maku]

Let's make it clear. Maybe I didn't understand Op correctly. You found security flaw of bitcointalk and now you want to sell for money?
Or you were talking about some other generic exploit of other service? The best way is always telling the owner... even if you won't profit much from it.

If we are talking about bitcontalk then the best way IMO is sharing this bug with theymos -
you will be rewarded with special badge, visible above your avatar and will most likely receive positive trust rating from staff members.
Maybe there is even bounty for safely sharing a security flaws? I am not sure.

[PremiumCodeX]

I think, I have taken enough time to think about this matter. Since this is an exploit not in the forum software, but somewhere else that affects alot of service being sold in the forum, I find examining the bug bounty program of these services in the https://bitcointalk.org/index.php?topic=483195.0 thread, what @Bitcoin_BOy$ suggested too, a very good start. I did not know that there was such a convenient list of programs collected. If you are a service owner yourself, you may consider adding your service there!