> Sadly you can't feed your children from media drama.
By the way, if the problem is "how do I reliably get money from bug bounties" (as opposed to "I found a cool bug, what do I do with it") --
I strongly recommend finding a product with some kind of barrier to entry. Most researchers on these platforms are very low-effort. A gigantic, complicated product, like Workday, or even better a gigantic, complicated product that requires payment (!), like Slack for Enterprise, will usually not be getting very many reports. That product is hard to understand. But that means that -- once you've put in the effort to understand the product -- there's a lot more low-hanging fruit, and the company is likely to treat researchers better because of the lower report volume.
The market for a freelance security researcher out there is hard, no doubt, but disclosing bugs publically is an addition to your resume, akin to any other professional development you do. It demonstrates you can do the work and it shows the skills you have.
Suing someone for disclosing an actual bug is a long term losing proposition for any company in a competitive industry.
The screenshot in #2 does show the H1 Staff screwing up -- @cybernews requests disclosure and gets a response saying "you may request disclosure if you would like this reviewed, using the drop down menu" (which @cybernews has already done).
@cybernews' behavior in that thread isn't ideal, but they're more in the right than in the wrong on that one, judging by the screenshot.
Legitimately interested in your explanation as to how this specific research would be a crime absent contact with HackerOne. Please cite statute. I'm not saying you're wrong - simply asking you to back up your claim with evidence.
I'm sorry, won't do that, don't know why. I'm pretty sure there something like computer abuse act. If you don't follow their rules, how would it be legal to hack on their servers?
> Sadly you can't feed your children from media drama.
So it seems like the real answer in these cases is selling the exploit on the "dark web". I mean why not? The vendor doesn't seem to care about security anyway.
"Dark web" for things that are not relevant to Five Eyes and NSA when they are relevant. At least in those cases, with good opsec for the "dark web", you can be reasonably sure the company who made the product can't retaliate against you.
By the way, if the problem is "how do I reliably get money from bug bounties" (as opposed to "I found a cool bug, what do I do with it") --
I strongly recommend finding a product with some kind of barrier to entry. Most researchers on these platforms are very low-effort. A gigantic, complicated product, like Workday, or even better a gigantic, complicated product that requires payment (!), like Slack for Enterprise, will usually not be getting very many reports. That product is hard to understand. But that means that -- once you've put in the effort to understand the product -- there's a lot more low-hanging fruit, and the company is likely to treat researchers better because of the lower report volume.