

Ask HN: How do I pitch to companies with blatant security problems? - cookiecaper

Hello. There are several fairly major local companies which I know to have vulnerable systems in several regards. If I actually dug into these I am sure I would have serious, compromising vulnerabilities in no time flat. My only interest in such digging is to leverage that knowledge to get the company to hire me to fix it.<p>I have tried this before with some other companies. They have either not cared or reacted adversely with threats. I don't really want to dump a bunch of confidential info or publicly expose a vulnerability that would allow others to do so, but I understand that the whole theory behind security disclosure is that sometimes this is necessary to encourage companies to treat their data security with care.<p>So, my question is: Armed with specific knowledge of specific vulnerabilities, how do I present these in such a way that I get more than "our (obviously incompetent, two-person) IT team will look into it" or "if you keep poking around you'll be in hot water" or some other adverse/brush off response, and if I get such a response, how should I go about disclosure in a way that will a) protect the data of individuals to the extent possible and b) make the arrogant local company likely to hire me to fix the problem, as they should have done originally.<p>Before someone objects, I want to be clear that I have no objection to working with competent IT teams to resolve bugs or problems, though I would be much more cooperative and easy to work with if I at least got a bounty of some kind. I suppose I can just bill for the time I would be working with the people. Uh, anyway, I do not intend to supplant all currently employed programmers/IT people. It's just that in many cases we know ahead of time that the IT department is either virtually non-existent, grossly incompetent, or both.<p>How do I put myself in a position where their pre-established relationships with these people do not come ahead of the confidentiality of user data and the supposed intrusion I am making by confronting the IT/exec team with serious problems and suggesting that they hire me to fix them?
======
seivan
Yeah I did the same <http://news.ycombinator.com/item?id=3406144>

I approached them with a reason why they are flawed, and how to fix it. I am
expected to do a small chat with the CTO on Skype around 5-6 hours from now.
So right now I'm preparing by coding on my game :)

