Bit of an ethical question...

[Burnedice25]

Hello

I am a tutor for a person who needed some help getting around the anti-cheat of a couple of raffles he was entering. They were all done on one site and I found a method to circumvent their security. He paid me a decent amount for the work but I was wondering about a few things.

1. If I were to tell this site about the flaw, would they pay me? And if so, how much. I think the method has the ability to make a lot of money as the raffles hosted on the site are about crypto.

2. If I were to say I had a "hack" to this site, and they offer me no money, could I get in legal hot water as I'm sorta blackmailing them? From what I've seen, they have no active rewards for security flaws. Would I be forced to tell them even if they don't pay me

3. If I were to get paid, how much would it be?

4. What should I do ethically? I'm not directly using the method, I was just hired to find a way to enter a raffle multiple times.

 

Would really like some help with this,

cheers

[SlashedM]

3 minutes ago, Burnedice25 said:

If I were to tell this site about the flaw, would they pay me? And if so, how much.

Only the site can tell you, they aren't legally obligated to pay you unless you make a contract or anything. They could pay you a dollar, they can pay you a hundred, no one knows. It completely depends on them and the "exploit".

4 minutes ago, Burnedice25 said:

If I were to say I had a "hack" to this site, and they offer me no money, could I get in legal hot water as I'm sorta blackmailing them?

Potentially. Could be considered ransom. 

4 minutes ago, Burnedice25 said:

If I were to get paid, how much would it be?

Again, no one knows. 

5 minutes ago, Burnedice25 said:

What should I do ethically?

Either inform them or don't without using it against them. 

[Oshino Shinobu]

1. Potentially. Though they have no legal obligation to give you a reward . Hell, they might not even develop the site themselves, either using a 3rd party designer or a service like Wix or Squarespace. If the fault is in another company's design, I wouldn't expect the raffle hoster to give you any reward. 

 

2. You're crossing into blackmail/extortion here. At this point it's not an ethical issue, but rather a legal issue. 

 

3. Depends on the company. Anywhere from $0 to I think $10,000 is the highest I've ever heard of. If they don't have an explicit bug/exploit reward program, I wouldn't bet on getting much more than a thank you. 

 

4. You should alert the company of the security flaw. Asking for a reward is fine, as long as you don't hold the security flaw ransom. 

[suedseefrucht]

1 hour ago, Burnedice25 said:

What should I do

You could tell them, you found a security problem and ask if they would like to buy the information.

But it is not as easy as just giving you the money, because you would need to pay taxes for the money.

[LogicalDrm]

*** Thread locked ***

 

The premise here is already illegal. Aiding someone to gain monetary value and getting paid for it. Same is with anything where you refuse to share information you have gained without getting paid.