This is an automated archive.
The original was posted on /r/cybersecurity by /u/Ill-Arm-5597 on 2023-08-28 06:31:10+00:00.
I work as a cybersecurity developer. In my company, I've developed a Web Application Firewall (WAF). My daily task involves monitoring and blocking malicious IP addresses, which can be quite dull. On the side, I'm also interested in ethical hacking, where I test the security of the applications I use without proper authorization. I've successfully identified vulnerabilities in about twenty instances, including accessing sensitive data of millions of people.
Most companies don't have a formal vulnerability reporting program (Security Response Center), so I often reach out to them directly. They are usually willing to hear about the vulnerabilities I found and sometimes even reward me with a bounty. However, from what I understand, these actions could potentially be considered illegal if pursued seriously. This realization has made me uneasy, so I've decided not to continue down this path.