-2

Suppose one found information about a large organisations software, for example Apple Pay, about their payment system that could cause very bad legal trouble for them. This could be related to to the fact that all purchases must be tracked. But with what’s going on they aren’t.

Is there a way to offer the information in exchange for money without risking breaking the law? In particular one should avoid the risk of anything that could be interpreted as a threat.

The potential for legal consequences is indicated by cases such as the reporter in Missouri who was threatened but not prosecuted with legal action in relation to "unlawful to access encoded data and systems in order to examine other people's personal information" aka pressing f12 in a browser and 18 year old Hungarian who was arrested for much the same. Note neither of these requested payment.

User65535
  • 10,342
  • 5
  • 40
  • 88
Melina
  • 9
  • 1

1 Answers1

0

Large tech and software firms do solicit feedback on casual bugs and pay bounties to people who credibly identify security issues and offer some legal cover through the process.

For example, Apple describes its bounty program at https://security.apple.com/bounty/:

If you believe you’ve discovered a security or privacy vulnerability that affects Apple devices, software, or services, please report it directly to us. We review all eligible research for Apple Security Bounty rewards.

The report submission process will ask for an Apple ID for tracking purposes and details of the research you have done to confirm the vulnerability. (It's always possible someone else already pointed out the issue and it's being evaluated, but not yet resolved.)

There are also a number of terms and conditions, including not disclosing the nature of the vulnerability to anyone else pending a resolution of the case, as well as not violating any applicable laws. The process should otherwise immunize you from legal action from the corporation.

jeffronicus
  • 567
  • 6
  • 9