
Ask HN: When can you expect to be sued by a Big-4 for exploiting a loophole? - FreezeBurn
Hi, I found a weakness on a Big-4 website, whenever I create an account and launch a certain script, I&#x27;d earn 50-70$, I can do this a virtually unlimited number of times. I do NOT need to lie or use fake credentials to take advantage of this.
I warned them about it, send them some of my code.
They classed it as a low priority issue, said they were aware of it, that it was &quot;working as intended&quot;, and that they didn&#x27;t plan on fixing it.
So I&#x27;m like, ok, maybe they don&#x27;t realize that I can do this on a large scale,  that&#x27;s free money then, or maybe it&#x27;s just that they&#x27;re a multi-billion dollar company after all, why would they care about a measly thousands $ or a few grands of damage.<p>I think it would be hard for them to get me convicted as I&#x27;m only using my real legit credentials, but they could certainly ruin me with legal fees if they ever wanted to sue me.<p>When do you think I should stop?I did it with a few accounts already, I honestly think I could easily make a few grands per day if I went all in on this, I don&#x27;t know when I should realistically expect to get in trouble.<p>I kinda want to use this as a way to live well while working full time on my startup, this is probably a crazy idea, but it could work.
======
staticautomatic
Yeah they could sue you, and you'd have to get quite deep into defending it
because your best shot at a defense (depending upon what exactly they told
you) is probably estoppel, which is an affirmative defense you could win on I
think no earlier than summary judgment. That is to say, after you're bankrupt.

~~~
FreezeBurn
Thanks, here's what they said: "status of the issue": "Won't Fix (Intended
behavior)" " we made the decision not to track it as a bug, as we already know
about this problem"

~~~
staticautomatic
If they hadn't said "this problem", then a gambling man might consider running
a game. I would not risk it.

------
simonpure
Proper etiquette is to report a potential vulnerability through the
appropriate channels, give them sufficient heads-up that you will publish your
findings and then go ahead and do a write up.

Ideally, your startup is related somehow so you can take this opportunity to
get people curious enough to check it out and drive some traffic.

I always like a good story about how people find new vulnerabilities and if
it's written well would definitely read it and probably click through to your
startup.

Your efforts are much better spent on your startup than trying to find short
term hacks.

Also, I'm not a lawyer and this is not legal advice.

