
Hacking Imgur for Fun and Profit - sintheticlabs
https://medium.com/@nmalcolm/hacking-imgur-for-fun-and-profit-3b2ec30c9463
======
a1a
These programs are great in the sense that companies are starting to accept
security research and appreciate responsible disclosure instead of non/full
disclosure.

However, and I know this is not a popular opinion and that most people argue
they do it "just for fun". But in my mind the "just for fun" argument is
nothing more than an excuse for letting large corporations* use you.
Seriously, swag? Your hourly salary is minimal wage. What about all the time
you spend studying? You should get payed like everyone else. Even if you
really think it is that much fun, why wouldn't you want to be able to make a
living out of it? Your knowledge should be (and are!) valuable.

I don't really have a solution. Maybe time is the answer. Globalization does
not make it easier as the bounties are quite large from the perspective of
some countries.

What do you guys think? I think it is time we start valuing our knowledge. No
one will do it for us.

* If it is a start-up, non-profit, or a corporation you believe makes the world a better place the situation is different, obviously. Nothing wrong with volunteering your knowledge.

~~~
audleman
Cyber security is a paying profession and I don't think bug bounties undercut
that. A company that's not willing to pay and wants to put in place a bug
bounty will get what it pays for, which is a mystery to them and us. Others
will pay.

Fin Tech companies, for instance, have regulations that require a professional
audit every year. We recently paid out over $25k for one of them (and it was
worth it, their guys found some extremely subtle vulnerabilities).

Also hacking on sites for fun and profit is fun and something some people like
to do in their spare time. So some people are gonna do it no matter what.

------
soylentcola
I'm not nearly as adept at pentesting but out of curiosity, is there an
established point at which you just don't go and farther? Like a point between
"get a $5000 bug bounty" and "CFAA charges and prison time"? The author
mentions this at one point but it seemed like more of a gut feeling of not
being too intrusive.

When I read about this stuff, it seems like half of the articles end with some
company either patching or not patching their security holes with some tester
maybe making some money and the other half end with someone being charged for
accessing public-facing data that wasn't meant to be accessed.

~~~
sintheticlabs
For me, it boils down to two questions:

1\. Does pursuing the vulnerability further benefit the research? 2\. Would it
cause any damage?

If the answers are yes and no, I'll happily see where it takes me and re-
evaluate as I go on. With bug bounty programs it's generally expected that
researchers are going to poke and prod at things which they otherwise
shouldn't, although some programs do specifically state their objections to
pursuing issues further. Facebook, for example, would rather you find an issue
and report it straight away while others might admire your creativity to show
exactly what an attacker could do.

------
stevenh
Congratulations on being such a Nice Guy. Do you feel good about helping an
unassailable and unaccountable titan of a given niche further cement their
dominance, and getting practically nothing in return?

~~~
Nadya
_> Congratulations on being such a Nice Guy._

The alternatives are to be a criminal or let tens if not hundreds of thousands
of users risk being compromised. I rather dislike Imgur - but if I discovered
a vulnerability I would still report it to them.

