Hacker News new | past | comments | ask | show | jobs | submit login

You realize you could be monetizing these security vulnerabilities, right?



how? If I report nobody pays even 'thank you'.


Homakov, by doing what you are doing.

A lot of people are watching you from your blog posts and some of these watchers would pay you good money to do a security audit.

I don't know the breadth of your expertise but I would reach out to some well respected security consulting firm and use your blog to demonstrate your interest/passion for web security. This might be a great way to broaden your expertise.

If you contacted 10 security firms, I'm sure at least one would hire you and cover VISA issues if you plan on leaving the country.


Thank you. I hope so


That is true for some people, but NOT for all. Recognized security experts, or anyone with a reputation in the field CAN get themselves heard, and information which they report will NOT be ignored. (Whether you will get paid for it is another matter. It depends.)

You used to be a "nobody" -- just some unknown developer whose English communication skills are a bit weak and who was likely to get ignored. That is no longer true. You are now "famous" in security circles, and if you approach people in a professional manner then I am confident that you will be heard.


>are a bit weak don't be too polite ) I reported holes that definitely should be reported.


Fuck reporting it, unless you're contractually obligated because they've retained you (or, if it's an open source project you like, and want to support). If vendors won't even listen to you, clearly they don't value your time or their product, or their customers.

You can sell security vulnerabilities to a variety of parties. If you want introductions, email me.

Some people view this as "wrong" in some ethical way, but meh. Money is good -- it can be exchanged for valuable goods and services. There have been a lot of arguments for "responsible disclosure", "anti-sec", "full disclosure", etc. over the years.

I'd draw the line at blackhatting yourself with the vulnerability, but just selling the info is legal. Generally, security companies are buyers, and their clients tend to be governments, generally western (USA).


I've been black in the past, now I'm completely white hat.


>"Money is good -- it can be exchanged for valuable goods and services."

Money is not "good". Money is "necessary" in our society because people are greedy bullies.


People that do stuff like that need to find another industry. IT is not for them. We're nice people, generally. Maybe try finance or real estate or lobbying or health care or defence work.


I agree the world would be better if it were just nice people being nice, but IT security has become defense, and is an increasing part of defense. Governments are buying.

I don't see a huge moral difference between smart hacker with $0 (publishing 0-day for the lulz) and smart hacker with $250k (selling vuln to a defense contractor).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: