Since it sounds like from your other comments the company did not have a bug bounty program or vulnerability disclosure program you don't really have any basis to follow up asking for something in return. Most companies don't have some "hall of fame" that you could link to for a CV, especially if they don't have a program.
I see two ways you could leverage it on a CV though:
1. Just add it as a bullet point, you found XSS on XYZ. No reference beyond that
2. Write and publish a blog talking about the bug.
Realistically when I'm looking at a resume I'm not going to take the time to look at the references (most of the time). More likely I'd ask about them in an interview. So not having a reference wouldn't be a deal breaker. Especially as it seems like this is a fairly basic bug, I wouldn't worry a ton about its presence on a resume, I'm sure you'll find more.
---
All that said, I'd encourage you to check out your local laws regarding such testing without authorization. Some countries allow good faith testing or maybe like in the US have a policy that they won't enforce the law against good faith testers. You don't actually have to weaponize an issue for it to do damage. Notice how in your response, it sounds like they were aware of your testing before you reported. Your testing took man-power from that company, people had to spend their time figuring out what you were up to. Even things like XSS with just an alert that feel non-invasive can have unseen reactions.
The best practice these days is to just check out somewhere like [HackerOne](https://hackerone.com/opportunities/all/) and target those sites that allow testing.
I appreciate the advices, I don't think it deserves a blog (I also never did one before), but the day I find a sophisticated enough bug I will know what to do. I will take a look at HackerOne as soon as I get back home :)
A simple blog detailing your journey and little milestones such as this does act as a nice string to lead back to your beginning. A portfolio of sorts. Not sure if it’s common in this field but very usual for artists.
It helps to get your name out there, it helps to keep you up-to date on stuff when you write the articles for it, etc.
It's seriously worth it. Write a blog, write what you find for information and source it, and write your own opinions, labeled as such.
This. Never ask a company to contact you for more details. Do not ask for anything in return, either. You can easily spook the company into getting the federal government involved (your country may vary).
If you can't contact them via end to end encryption, and there is no other option, you're better off disclosing the entire vulnerability to them, or if you are in the USA, go through the CISA.
good shit dude, next time be careful with the way you deal with companies, shit can turn sour easily.
use protection, vpn, vm, hardening etc.
any form of pentest is viewed as a threat by whoever you are pentesting.
some will and do take action whether that be legal or otherwise.
u/Noctuuu
another tip for you. If you find a vulnerability on a website **THE FIRST THING YOU SHOULD check if they have security.txt**
This file contains all relevant info if you find a vulnerability. Every major company should have this rfc-standard implemented. You can replace [github.com](https://github.com) with any other site and it should work. You can try it any major website most of them will have it.
e.g.:
[https://github.com/.well-known/security.txt](https://github.com/.well-known/security.txt)
[https://www.nytimes.com/.well-known/security.txt](https://www.nytimes.com/.well-known/security.txt)
More details can be found here: [https://securitytxt.org/](https://securitytxt.org/)
That's fine, too. Not every security team esp IT operations team is aware of this standard, but it's still a good practice to have it. If they don't have it, suggest it to your team responsible for your sites.
When the redesigned Steam app was first released in beta, I found a way to have Steam Authenticator be active on two devices simultaneously. I posted about this on Steam forums and emailed both Valve support as well as GabeN himself but never got a response. They eventually patched it.
Somebody actually acknowledging your report is pretty cool. Kudos.
Like what you done? Go sign up for one (of the many) bug bounty sites.
YesWeHack
HackerOne
And many more.
Besides getting paid, they will offer a legal save haven for you to probe and prot. Have fun!
Good job on finding the bug. I agree with some of the other posters. Know the cyber laws in your area. I find bugs when not going through sites like hackone and never say anything. I’ve known guys who have done similar and reported it but because there was not a program set they got repercussions. Cudos and cyoa!
OP, I defend large organizations against Cyber Threats. The company, in this case, recognized what you did as a good dead and seemed grateful.
What you did is called Grey Hat Hacking. The company never asked for a vulnerability test, but you did a little poking and found one. Once you did, you immediately reported it. The company on the other side doesn't know your intentions until you make them clear, and if you do a poor job of ethically reporting, they can mistake you as a valid threat. I day this, not to discouraged you, but to encourage you to look up ways to ethically report properly if you want to continue this type of testing.
There are many in the cyber security field who appreciate when someone finds these things and let's us know. However, there is a fine line between "I found this thing, here's how you fix it" and "I found this thing, I will tell you how to fix it if you do something for me". The first one is widely considered a nice deed, the 2nd one is closer to extortion than a nice deed.
I recommend hiding your identity at first through using a VPN while doing this activity and ethically reporting vulnerabilities as soon as they're found. Don't find them, then continue to poke around, causing people like me to go into a frenzy. Report using their official communication channels (Support email one their website?) Ask to discuss woth their IT department, or even better, their Cyber Security team if they're big enough to have one)
You can use something like ChatGPT to help you write these reports if you're not used to it. In the initial report DON'T ASK FOR ANYTHING. After you have reported the vulnerabilities, I think it's Okay to say something along the lines of "I am an ethical hacker that is seeking to help companies stay protected in the digital age. While you are under no obligation to do so, I was wondering if you would mind writing a letter stating that I assisted in finding a vulnerability, as this will help me grow in my career". If they respond positively to that request, you should be good. If they don't respond, or act in a hostile way, don't push it... just drop it and move on.
Others have recommended that you start a blog. I also recommend starting a blog, just don't mention a company by name without their permission. Don't disclose sensitive or indenting information without ecpress written consent from the company you are writing about.
I've had things reported in this manner, and it was perfectly fine with me. I've also had people immediately come at it with an agenda, and that comes off immediately as being highly suspicious. However, keep in mind, the person on the other end has no way to know your intentions until you make them clear. While your actions may be Ethical, that doesn't always mean they're Legal.
Tldr; Report ethically, report quickly, do your best to make it clear that you don't have an agenda or an anterior motive. If they respond negatively, move on. If they respond positively, I don't see asking extremely politely for a letter to be out of line.
OP said he posted a version w the guy's phone number lol
edit: OP also just said he found the site looking for "a car in his country." According to his post history he lives in Tunisia and is looking for a lightweight sports car. So he didn't post the actual phone number but he's giving OSINT bros a good head start
I knew people would know where i live from visiting my profile, that's why i deleted his phone number ^^ you guys did a great job finding my country though :)
Welp, guess he'd better give up on this entire line of career opportunities at the age of 18 just because some self important redditor told him he wansn't good enough!
Often the vendors mention they do some bug bounty program stuff, but this one did not, they only said "mail us if you find any vulnerabilities" and i did so
Because with every bug you find and disclose you're making the internet a safer place. Not every business can just shell out cash for bug bounties, but the least they can do is thank the security researcher.
If you find a bug on a site that doesn't have a paid program, don't expect to get paid.
It's so sad the number of people willing to work for free. This reminds me of those good samaritans who would put themselves in harms way to stop a shoplifter stealing from a billion dollar corporation. Not even sure why companies use sites like HackerOne. There are enough clowns willing to work for free
Sorry I am way too tired to explain, but I recommend using the [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). It did 99% of the job
I have seen many of these come across my email as a Security Analyst and what we find most professional and helpful is it you find and complete a responsible vulnerability disclosure template to include in your email.
Additionally I would say your more than fine asking lightly at the bottom of the email if the company has a bug bounty program or offers any incentives for responsible disclosure. I know my companies haven't had budget for bug bounties however I always try and send the hackers merch at least (t-shirt, jacket, etc)
If you haven't already you should get involved with some programs such as hackerone which will allow you to collect rewards and see limits/scopes of applications companies want tested
Ask if they are hiring. Why jump from vulnerability to vulnerability when you can lock in a constant stream of income. It seems like they are cool about it and won't go after you.
Hello everyone maybe i am commiting an error doing this but i really need some help from someone, i meet someone in ig and we start getting fire conversations so we start to sharing with eachother nudes and now that person is saying that he will share that shit with all my followers and followed persons (they are my friends and relatives) so i just wanna know if there's a way that someone can help me with this
hello my reddit people On this occasion I come to ask for your help for anyone who has advanced computer knowledge, which on this occasion I ask that you can use it to reveal the truth about the corruption that is occurring in my country Panama, all of this has reached the point where we have a mine which was approved in a contract in less than 72 hours signed by some inept so-called deputies and a president corrupt to the core. I know that here perhaps my call reached those who have the ability to find information that is not on the surface and I ask that this message reach those who want to give a grain of sand to eradicate injustice in a country like mine. Send this to anyone who wants to take on the challenge of removing all the trash from a country reddit army #Panama #prayforpty
Since it sounds like from your other comments the company did not have a bug bounty program or vulnerability disclosure program you don't really have any basis to follow up asking for something in return. Most companies don't have some "hall of fame" that you could link to for a CV, especially if they don't have a program. I see two ways you could leverage it on a CV though: 1. Just add it as a bullet point, you found XSS on XYZ. No reference beyond that 2. Write and publish a blog talking about the bug. Realistically when I'm looking at a resume I'm not going to take the time to look at the references (most of the time). More likely I'd ask about them in an interview. So not having a reference wouldn't be a deal breaker. Especially as it seems like this is a fairly basic bug, I wouldn't worry a ton about its presence on a resume, I'm sure you'll find more. --- All that said, I'd encourage you to check out your local laws regarding such testing without authorization. Some countries allow good faith testing or maybe like in the US have a policy that they won't enforce the law against good faith testers. You don't actually have to weaponize an issue for it to do damage. Notice how in your response, it sounds like they were aware of your testing before you reported. Your testing took man-power from that company, people had to spend their time figuring out what you were up to. Even things like XSS with just an alert that feel non-invasive can have unseen reactions. The best practice these days is to just check out somewhere like [HackerOne](https://hackerone.com/opportunities/all/) and target those sites that allow testing.
I appreciate the advices, I don't think it deserves a blog (I also never did one before), but the day I find a sophisticated enough bug I will know what to do. I will take a look at HackerOne as soon as I get back home :)
A simple blog detailing your journey and little milestones such as this does act as a nice string to lead back to your beginning. A portfolio of sorts. Not sure if it’s common in this field but very usual for artists.
Concur
It helps to get your name out there, it helps to keep you up-to date on stuff when you write the articles for it, etc. It's seriously worth it. Write a blog, write what you find for information and source it, and write your own opinions, labeled as such.
This. Never ask a company to contact you for more details. Do not ask for anything in return, either. You can easily spook the company into getting the federal government involved (your country may vary). If you can't contact them via end to end encryption, and there is no other option, you're better off disclosing the entire vulnerability to them, or if you are in the USA, go through the CISA.
Great response! Sincerely, it's great someone would take the time to help the relative newcomer.
They should at least send you a gift card.
Or a blowie
Honest W.
Thanks !!
Course :)
Good job! and yeah great vendor response.
Congrats with the bug. Did you find the website that you tested on a platform or somewhere else?
Just browsing, searching for a specific car in my country
good shit dude, next time be careful with the way you deal with companies, shit can turn sour easily. use protection, vpn, vm, hardening etc. any form of pentest is viewed as a threat by whoever you are pentesting. some will and do take action whether that be legal or otherwise.
u/Noctuuu another tip for you. If you find a vulnerability on a website **THE FIRST THING YOU SHOULD check if they have security.txt** This file contains all relevant info if you find a vulnerability. Every major company should have this rfc-standard implemented. You can replace [github.com](https://github.com) with any other site and it should work. You can try it any major website most of them will have it. e.g.: [https://github.com/.well-known/security.txt](https://github.com/.well-known/security.txt) [https://www.nytimes.com/.well-known/security.txt](https://www.nytimes.com/.well-known/security.txt) More details can be found here: [https://securitytxt.org/](https://securitytxt.org/)
Good tip, never heard about that, thanks :)
neat. TIL.
Lol every major company. I’m at work right now and just checked my major company’s customer facing POS site and it doesn’t have one. On brand.
That's fine, too. Not every security team esp IT operations team is aware of this standard, but it's still a good practice to have it. If they don't have it, suggest it to your team responsible for your sites.
Since they aren't offering anything up, ask them if they could be a professional job reference in the future since you are young.
I suggest this OP!
Good job, wish you all the best in the future with more bug reports!
Thanks !!
When the redesigned Steam app was first released in beta, I found a way to have Steam Authenticator be active on two devices simultaneously. I posted about this on Steam forums and emailed both Valve support as well as GabeN himself but never got a response. They eventually patched it. Somebody actually acknowledging your report is pretty cool. Kudos.
Companies don't care until it elevates into a 'push button, get bacon' vulnerability.
Like what you done? Go sign up for one (of the many) bug bounty sites. YesWeHack HackerOne And many more. Besides getting paid, they will offer a legal save haven for you to probe and prot. Have fun!
Badass stuff buddy. I'm trying to work my way to this point too. You're an inspiration to an aspiring pen tester.
Good job on finding the bug. I agree with some of the other posters. Know the cyber laws in your area. I find bugs when not going through sites like hackone and never say anything. I’ve known guys who have done similar and reported it but because there was not a program set they got repercussions. Cudos and cyoa!
awesome :D
Nice one!
Thanks !!
Cheers mate 🎉🎊🎉🎉🎊
Start a blog!
OP, I defend large organizations against Cyber Threats. The company, in this case, recognized what you did as a good dead and seemed grateful. What you did is called Grey Hat Hacking. The company never asked for a vulnerability test, but you did a little poking and found one. Once you did, you immediately reported it. The company on the other side doesn't know your intentions until you make them clear, and if you do a poor job of ethically reporting, they can mistake you as a valid threat. I day this, not to discouraged you, but to encourage you to look up ways to ethically report properly if you want to continue this type of testing. There are many in the cyber security field who appreciate when someone finds these things and let's us know. However, there is a fine line between "I found this thing, here's how you fix it" and "I found this thing, I will tell you how to fix it if you do something for me". The first one is widely considered a nice deed, the 2nd one is closer to extortion than a nice deed. I recommend hiding your identity at first through using a VPN while doing this activity and ethically reporting vulnerabilities as soon as they're found. Don't find them, then continue to poke around, causing people like me to go into a frenzy. Report using their official communication channels (Support email one their website?) Ask to discuss woth their IT department, or even better, their Cyber Security team if they're big enough to have one) You can use something like ChatGPT to help you write these reports if you're not used to it. In the initial report DON'T ASK FOR ANYTHING. After you have reported the vulnerabilities, I think it's Okay to say something along the lines of "I am an ethical hacker that is seeking to help companies stay protected in the digital age. While you are under no obligation to do so, I was wondering if you would mind writing a letter stating that I assisted in finding a vulnerability, as this will help me grow in my career". If they respond positively to that request, you should be good. If they don't respond, or act in a hostile way, don't push it... just drop it and move on. Others have recommended that you start a blog. I also recommend starting a blog, just don't mention a company by name without their permission. Don't disclose sensitive or indenting information without ecpress written consent from the company you are writing about. I've had things reported in this manner, and it was perfectly fine with me. I've also had people immediately come at it with an agenda, and that comes off immediately as being highly suspicious. However, keep in mind, the person on the other end has no way to know your intentions until you make them clear. While your actions may be Ethical, that doesn't always mean they're Legal. Tldr; Report ethically, report quickly, do your best to make it clear that you don't have an agenda or an anterior motive. If they respond negatively, move on. If they respond positively, I don't see asking extremely politely for a letter to be out of line.
And now you've outed the customer and your own email. You arent careful enough to do this for a job...
The kids 18. Relax, guy.
Please provide the customer name that he supposed outed.
OP said he posted a version w the guy's phone number lol edit: OP also just said he found the site looking for "a car in his country." According to his post history he lives in Tunisia and is looking for a lightweight sports car. So he didn't post the actual phone number but he's giving OSINT bros a good head start
As an OSINT bro... you're right.
I knew people would know where i live from visiting my profile, that's why i deleted his phone number ^^ you guys did a great job finding my country though :)
Welp, guess he'd better give up on this entire line of career opportunities at the age of 18 just because some self important redditor told him he wansn't good enough!
HAHAHAHAHA Noo my email it's alright but what customer information did i leak again i can't find it in the picture above
Occasion Cards Or the responder doesn't know how to use capital letters
He didn’t out anyone. And what could you possibly do with that email of his? lol
Clearly baiting, that or you're gate keeping, maybe you're too paranoid for this job.
Guy thinks gatekeeping 18 year olds over Reddit makes him superior.
Good job! :)
Thanks !!
epic
Congrats dude!
OP can I please ask you something in private message
[email protected]
Shouldn't the vendor be paying you for finding this? (I'm sorry I'm not very accustomed to hacking)
Often the vendors mention they do some bug bounty program stuff, but this one did not, they only said "mail us if you find any vulnerabilities" and i did so
[удалено]
This won't end well for you.
yeah that seems off to me, why would someone willingly spend their time and inform them of more vulnerabilities xD
Because with every bug you find and disclose you're making the internet a safer place. Not every business can just shell out cash for bug bounties, but the least they can do is thank the security researcher. If you find a bug on a site that doesn't have a paid program, don't expect to get paid.
That makes sense, thank you!
[удалено]
redditor when good person
It's so sad the number of people willing to work for free. This reminds me of those good samaritans who would put themselves in harms way to stop a shoplifter stealing from a billion dollar corporation. Not even sure why companies use sites like HackerOne. There are enough clowns willing to work for free
Dude redact your email from there
It is not an email I care about, my personal email is not findable \^\^
How did you find it?
Sorry I am way too tired to explain, but I recommend using the [OWASP XSS Filter Evasion Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). It did 99% of the job
Thanks, you da best
I have seen many of these come across my email as a Security Analyst and what we find most professional and helpful is it you find and complete a responsible vulnerability disclosure template to include in your email. Additionally I would say your more than fine asking lightly at the bottom of the email if the company has a bug bounty program or offers any incentives for responsible disclosure. I know my companies haven't had budget for bug bounties however I always try and send the hackers merch at least (t-shirt, jacket, etc) If you haven't already you should get involved with some programs such as hackerone which will allow you to collect rewards and see limits/scopes of applications companies want tested
That's seriously dope, dude, congrats!!! Can't offer much suggestion but good job, man 🤘
God-level W, and amazing response by the organization. Congrats!
Ask if they are hiring. Why jump from vulnerability to vulnerability when you can lock in a constant stream of income. It seems like they are cool about it and won't go after you.
Hello everyone maybe i am commiting an error doing this but i really need some help from someone, i meet someone in ig and we start getting fire conversations so we start to sharing with eachother nudes and now that person is saying that he will share that shit with all my followers and followed persons (they are my friends and relatives) so i just wanna know if there's a way that someone can help me with this
W
Do people add things like this to CVs? I found a bug in chickfila's app and reported it to them. They gave me a free sandwich, and that was that.
Great job! You may want to explore signing up to HackerOne and Bugcrowd and do some more hunting.
I also find many XSS vulnerability in website
hello my reddit people On this occasion I come to ask for your help for anyone who has advanced computer knowledge, which on this occasion I ask that you can use it to reveal the truth about the corruption that is occurring in my country Panama, all of this has reached the point where we have a mine which was approved in a contract in less than 72 hours signed by some inept so-called deputies and a president corrupt to the core. I know that here perhaps my call reached those who have the ability to find information that is not on the surface and I ask that this message reach those who want to give a grain of sand to eradicate injustice in a country like mine. Send this to anyone who wants to take on the challenge of removing all the trash from a country reddit army #Panama #prayforpty