I'm confused. If I put code out into the wild, as a website, as an application, as... whatever, I'm supposed to compensate people that take it upon themselves to poke holes in it?
I mean, I appreciate the effort and the time, but just because you run a large web service or any web service doesn't mean that I should pay you for vulns. You should receive my gratitude, anything more than that is being extra nice.
Now, is there value in posting that there is some bounty for these things? Will it result in better, more frequent disclosure and give me the ability to close holes before someone nefarious comes along? Absolutely. Until I do that, people shouldn't speculatively be doing research and then retroactively bitching about how little they got paid.
If you do work like that, please let me know, I've got some projects you can work on that I might decide to pay you for.
If you run a large web service, how much is it worth to you for vulnerabilities to be reported directly to you, versus being sold on the grey market to someone looking for an exploit?
There is something about offering a small amount of money that is worse than offering none. Like leaving a waiter a penny.
If cash is part of the equation, pay the going rate. If it's not, then acknowledge that someone did you a favor. Anything in between could be perceived as an insult/cheap.
Yep it says I'm a cheap fuck. It was better for them not to pay and offer some other form of recognition if they weren't going to shell out some real money.
One day you walk outside and you notice your neighbor left his keys on top of his car.
You knock on his door and let him know, he says "wow thanks for the heads up, I'll buy you a beer sometime"
You think to yourself, "A beer?? I just saved his car from being stolen-- that's worth a lot more than a beer"
A week later you walk outside and see he did it again. Instead of knocking on his door, you walk into the alley and tell a local criminal about it in exchange for 500 dollars.
I don't understand what Yahoo did wrong. They didn't have to pay a cent but they did. I understand that it is nominal, but it is better than nothing. I guess just not in the case where the press can get a hold of it.
Putting a dollar amount on anything signals value perception. 12.50$ is a lot worse than a warm welcome, or other free rewards like public acknowledgement, because it says Yahoo really couldn't care less about finding such bugs.
> To add insult to injury, they can’t even order a burger with their bounty, which can only be spent at the Yahoo Company Store
Yahoo gave them $25 in store credit at Yahoo.
I'd rather have gotten a nice letter, because that kind of "compensation" is as much trying to attract business to Yahoo products as it is trying to reward me.
In all likelihood, they'd have earned at least 10 times as much spending the same number of hours at Burger King, and probably over 100 times as much selling the flaws.
Grossly underpaying is much more insulting, because it says directly what they value your work at, than not paying, which may simply be a policy of not handing out rewards for that kind of behavior.
"Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it."[1]
[+] [-] orofino|12 years ago|reply
I mean, I appreciate the effort and the time, but just because you run a large web service or any web service doesn't mean that I should pay you for vulns. You should receive my gratitude, anything more than that is being extra nice.
Now, is there value in posting that there is some bounty for these things? Will it result in better, more frequent disclosure and give me the ability to close holes before someone nefarious comes along? Absolutely. Until I do that, people shouldn't speculatively be doing research and then retroactively bitching about how little they got paid.
If you do work like that, please let me know, I've got some projects you can work on that I might decide to pay you for.
[+] [-] bcbrown|12 years ago|reply
[+] [-] DerpDerpDerp|12 years ago|reply
It's that if you do give a bounty, don't make it an insultingly low value at your corporate store.
[+] [-] kmfrk|12 years ago|reply
[+] [-] johngalt|12 years ago|reply
If cash is part of the equation, pay the going rate. If it's not, then acknowledge that someone did you a favor. Anything in between could be perceived as an insult/cheap.
[+] [-] yogo|12 years ago|reply
[+] [-] cvburgess|12 years ago|reply
[1] https://news.ycombinator.com/item?id=6472965
[2] http://grahamcluley.com/2013/09/serious-yahoo-bug/
[+] [-] aspensmonster|12 years ago|reply
[+] [-] hsod|12 years ago|reply
You knock on his door and let him know, he says "wow thanks for the heads up, I'll buy you a beer sometime"
You think to yourself, "A beer?? I just saved his car from being stolen-- that's worth a lot more than a beer"
A week later you walk outside and see he did it again. Instead of knocking on his door, you walk into the alley and tell a local criminal about it in exchange for 500 dollars.
This is essentially what you're advocating.
[+] [-] dkroy|12 years ago|reply
[+] [-] pjbringer|12 years ago|reply
[+] [-] DerpDerpDerp|12 years ago|reply
Yahoo gave them $25 in store credit at Yahoo.
I'd rather have gotten a nice letter, because that kind of "compensation" is as much trying to attract business to Yahoo products as it is trying to reward me.
In all likelihood, they'd have earned at least 10 times as much spending the same number of hours at Burger King, and probably over 100 times as much selling the flaws.
Grossly underpaying is much more insulting, because it says directly what they value your work at, than not paying, which may simply be a policy of not handing out rewards for that kind of behavior.
[+] [-] javert|12 years ago|reply
No, it's really not. Which is why it is so insulting.
It would have been much better to just say "thanks" and give nothing.
[+] [-] magicarp|12 years ago|reply
[+] [-] tarice|12 years ago|reply
"Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it."[1]
[1] https://www.htbridge.com/news/what_s_your_email_security_wor...
[+] [-] joejohnson|12 years ago|reply
[+] [-] borlak|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] dreamdu5t|12 years ago|reply