Hi, newbie sec researcher here. Just wanna ask, how do we actually ask for a bounty considering that sometimes the severity of the breach is BIG (this, Shell Access, etc).
I really don't wanna ask the companies for money but it just seem so... underwhelming for me. (3 out of 3 rather big companies just gave some thanks)
No matter what it is, you don't just give someone something they didn't ask for, and then expect money in return.
It would be like someone walking up to you on the street, handing you something they think is valuable, and then hoping that you'll want it and pay them for it.
The first thing you should do is check and see if they have an official bug bounty, if they don't then contact them and ask them if they had one.. say something like "because you saw some things on their site that concerned you, but wanted to know if it was worth the time exploring further" .. this is assuming you already found something. The goal of this is to get them to try and offer a bounty.
If they don't offer a bounty, then if you want to be responsible, you can just disclose their vulnerabilities to them, and accept whatever thanks you get.
If you're explicitly doing what you're doing to try and get some money out of it, then your time would be better spent focusing on companies that have well published bug bounties.
I really don't wanna ask the companies for money but it just seem so... underwhelming for me. (3 out of 3 rather big companies just gave some thanks)