I really like searching for vulnerabilities in small and new companies. Recently I reported a CSRF in two startup sites that I used for an account hijack. One of which was Examine.com, who patched the problem in less than a day (and I reported it at around 11pm on a Saturday night. Way to go).
One of them I had performed an account hijack on in the past. This startup has not responded in over a week to my disclosure of a account hijack vulnerability in their site (I can also delete accounts as I please...which is not good). This was patched in 2013 but was by far the funniest vulnerability I have found. Here's how it worked.
Guess email address of user (I used whois for the founder's account)
Visit password reset page (which was something static like [email protected])*
' or 1=1-- the reset code field and change the admin password.
At the time I felt really bad, because I had no idea this would actually work. I helped them fix this vulnerability, a few other XSS I had found, and asked for nothing in return.
This is something I encourage all security minded people to do. Security is hard and **expensive**. Startups oftentimes do not have a lot of resources to spend and can get really far behind keeping their product secure.
Do some *pro bono* work. First, it is a startup's site. It normally doesn't take more than 5 minutes to find a critical vulnerability. Second, you can accumulate a lot of cool t-shirts. Third, it can turn into some consulting pay where you can make some easy money teaching people about basic web security who otherwise would have no idea (think bare minimum CSRF/XSS/SQLi).
ejj, March 2014