HACKER Q&A
📣 FreezeBurn

When can you expect to be sued by a Big-4 for exploiting a loophole?


Hi, I found a weakness on a Big-4 website, whenever I create an account and launch a certain script, I'd earn 50-70$, I can do this a virtually unlimited number of times. I do NOT need to lie or use fake credentials to take advantage of this. I warned them about it, send them some of my code. They classed it as a low priority issue, said they were aware of it, that it was "working as intended", and that they didn't plan on fixing it. So I'm like, ok, maybe they don't realize that I can do this on a large scale, that's free money then, or maybe it's just that they're a multi-billion dollar company after all, why would they care about a measly thousands $ or a few grands of damage.

I think it would be hard for them to get me convicted as I'm only using my real legit credentials, but they could certainly ruin me with legal fees if they ever wanted to sue me.

When do you think I should stop?I did it with a few accounts already, I honestly think I could easily make a few grands per day if I went all in on this, I don't know when I should realistically expect to get in trouble.

I kinda want to use this as a way to live well while working full time on my startup, this is probably a crazy idea, but it could work.

  👤 staticautomatic Accepted Answer ✓
Yeah they could sue you, and you'd have to get quite deep into defending it because your best shot at a defense (depending upon what exactly they told you) is probably estoppel, which is an affirmative defense you could win on I think no earlier than summary judgment. That is to say, after you're bankrupt.
👤 simonpure
Proper etiquette is to report a potential vulnerability through the appropriate channels, give them sufficient heads-up that you will publish your findings and then go ahead and do a write up.

Ideally, your startup is related somehow so you can take this opportunity to get people curious enough to check it out and drive some traffic.

I always like a good story about how people find new vulnerabilities and if it's written well would definitely read it and probably click through to your startup.

Your efforts are much better spent on your startup than trying to find short term hacks.

Also, I'm not a lawyer and this is not legal advice.