There is no perfect system in this world, especially in the field of informatics. Any platform, application, website, program and so on may not be as professional as you think. Even a group of people in this world have dedicated themselves only to discovering the flaws of these platforms and extracting them, and if you are wondering why, the answer is simply because it is one of the largest profit areas currently in the world.And it may also happen that one day or sometimes you will find a bug or software bug in one of the digital platforms that may be your golden chance to finally get your prize, but misbehavior or failure to gain sufficient knowledge about how to act in this case may be removed Your booty is about you, and we are here, my friend, to help you as hard as possible.
First things first, why would you want to report it at all?
I remember a funny conversation that happened between me and one of the people who might have found a problem in the Facebook platform that enables him to see other people’s messages without having to access their accounts. Doubts wandered around from one side.From a simple point of view, if he is going to report the vulnerability and then Facebook thanks him for that and closes it is the worst scenario that might happen to him in this case, so he decided to exploit it to spy on his girlfriend for at least half a day before Facebook proceeded to close it and suspend someone’s name People who reported it on her Hall of Fame or Hall of Fame. If you encounter the same scenario in the future, please feel free to report the vulnerability, why? Because any network, platform or system in this world (especially the famous ones) have what is called a prize hunting system or the Bounty Program. This system allows you to report gaps in websites, applications, programs and platforms, then the vulnerability is evaluated according to its severity (is it A security vulnerability, a threat vulnerability, just a bug …) and then a cash prize corresponding to the evaluation given for the vulnerability is released.
The platforms that pay you for the vulnerability:
Secondly, if you are a security researcher or someone trying to find a vulnerability at all costs, first make sure that the platform you are examining accepts the vulnerability payment system. Technically, most companies pay to search for and treat vulnerabilities, but there are specialized companies that have a team and their own staff that takes care of this matter, and here they are without any external alerts (for example, Amazon). In order to help you find out the most prominent platforms and companies that provide the services of the Bounty Program or pay for finding vulnerabilities, there is a site Bugcrowd, which provides an alphabetical list of companies that pay you for the system of vulnerabilities and that do not.
On the Bugcrowd platform you will find a lot of options, in general go to the link that we previously provided and then search for a specific company or system in our case, we searched for the Android system, we find in front of the Bug Bounty tag that it is correct means that Google accepts the system of vulnerabilities in Android, as you can Submit your vulnerability via the Android Submission URL. If the company is not on this list, then you will have only two options: the first option is to contact the company directly and tell it that you found a vulnerability, then explain the vulnerability and how it can be exploited negatively (without providing more information about how to find it or close it). About it in exchange for payment, if they refuse, then you are free to do what you want, whether it is exploited or sold to other companies (we will provide you with some of this money) and others.
But before reporting your vulnerability, make sure:
Not any problem or bug or loophole that you can get a return from my dear brother, you cannot, for example, sit alone and try to send a message on Facebook and Twitter and a strange kind of error appears to you for the first time and you think that it is a bug and hastened to correspond with Facebook in the hope of A few dollars, it doesn’t work out like this. Each company has its own Bounty system, meaning the types of vulnerabilities that you receive and that you will be paid for, each company has its own rules, but here we will mention for you a set of main rules that most companies that accept the Bounty system share:
- First, the vulnerability must be security, meaning that a vulnerability in some way threatens the safety of the user or the safety of the work team, such as vulnerabilities that lead to accessing accounts, reading messages, or accessing personal information that another user is not supposed to see.
- For the vulnerability to be tested more than once in more than one way, it is not possible for a simple error that occurs to you only for you to report it, it may only be a problem caused by your computer or device not the platform itself, so you have to try it again and again, and it is not a one-time error Just.
- If the defect or loophole is in the system or the platform itself and not a platform listed among it, for example if you use a specific platform and then choose to register via Facebook and then encounter problems or a bug, this will not be counted because the problem is only in a third party and not the platform itself.
- Do not you find the error or loophole in the Alpha or Beta version of a specific platform, for example Google launches the Android system for developers before it is officially launched for users, if there is a specific vulnerability in the developer version, Google may pay you something or it may thank you, for example, but it will not consider the matter a security vulnerability and deal with With it as a critical loophole.
- To be a Zero-day vulnerability, i.e. a vulnerability that was not previously discovered in the platform, and a defect occurred that only returned the vulnerability to the interface, but the vulnerability must be something new (not always, in fact, sometimes even non-zero-day vulnerabilities are accepted).
There is a lot too, as there is a list of rules explaining the types of vulnerabilities that each platform receives that you can search for and review.
How to do when you find a vulnerability that matches all of the above?
In the event that you find a loophole that respects all of the above, it is now time to report it and perhaps get some article through it. To do this, you will have to take two approaches: First, use the Bugcrowd site and then go directly to the Bug Bounty Program page of the platform in which a vulnerability was discovered, on the page you will find a set of emails, e-mails or Contact Forms that you can fill directly in order to establish a connection between you and the site’s administrators. Later, you will receive an answer from the website owners inquiring some inquiries such as when the vulnerability occurs, how you discovered it, the responsible tools and others, and they will ask you if you have a pre-prepared solution for the vulnerability, and they will accept all your answers and they will correct it or apply the instructions from your side to correct it, they will tell you Also, the price that this platform will pay for such information, and you will be paid after correcting the vulnerability a few days in the way you want, and you will also add your name in the Hall of Fame for people who discovered vulnerabilities in the platform. As for the second approach, it is not to find the Bounty Program page on the Bug Crowd website, and this means that the platform may not receive requests for vulnerabilities or does not have a Bounty system of course, here you will need a mediator to mediate for you with the company, the most famous of which is the Zerodium site , what exactly will this broker do He will look at the vulnerability that you found and will buy it from you for a fee (you will not get your name in the Hall of Fame after correcting the vulnerability, and this is the biggest negativity of brokers). After that, the platform will directly contact the company and inform them of the vulnerability and how to correct it. Most companies are now using a broker like Zerodium. Now, my friend, you know what you should do when you encounter a bug, error, or software problem on a specific site or platform, so good luck for you on your path.