I'm confused. If I put code out into the wild, as a website, as an application, as... whatever, I'm supposed to compensate people that take it upon themselves to poke holes in it?
I mean, I appreciate the effort and the time, but just because you run a large web service or any web service doesn't mean that I should pay you for vulns. You should receive my gratitude, anything more than that is being extra nice.
Now, is there value in posting that there is some bounty for these things? Will it result in better, more frequent disclosure and give me the ability to close holes before someone nefarious comes along? Absolutely. Until I do that, people shouldn't speculatively be doing research and then retroactively bitching about how little they got paid.
If you do work like that, please let me know, I've got some projects you can work on that I might decide to pay you for.
If you run a large web service, how much is it worth to you for vulnerabilities to be reported directly to you, versus being sold on the grey market to someone looking for an exploit?
That is a question you should be asking when you decide to post bounties. It is not a question you should be forced to ask after someone goes and finds vulnerabilities all on their own without your knowledge and then comes to you and asks for payment unbidden. That is called extortion.
You're right. As a result, white-hats should spend zero time with Yahoo (as the company in the article has indicated they will). The result of that is that only black-hats will be finding Yahoo vulnerabilities. Not a good end result.
What should happen is that Yahoo should have bounties in the first instance. They don't have to, but not having them leads to a bad outcome for everyone except black-hats.
There is something about offering a small amount of money that is worse than offering none. Like leaving a waiter a penny.
If cash is part of the equation, pay the going rate. If it's not, then acknowledge that someone did you a favor. Anything in between could be perceived as an insult/cheap.
Yep it says I'm a cheap fuck. It was better for them not to pay and offer some other form of recognition if they weren't going to shell out some real money.
One day you walk outside and you notice your neighbor left his keys on top of his car.
You knock on his door and let him know, he says "wow thanks for the heads up, I'll buy you a beer sometime"
You think to yourself, "A beer?? I just saved his car from being stolen-- that's worth a lot more than a beer"
A week later you walk outside and see he did it again. Instead of knocking on his door, you walk into the alley and tell a local criminal about it in exchange for 500 dollars.
You have constructed an analogy so inapt that it threatens to suck all other dumb, unenlightening analogies on HN over its event horizon until it forms a sort of inapt hole from which dumb analogies could never escape.
The difference is that noticing it is much harder than "walking outside one day," and he's not just some homeowner.
Rather, it's a bank, and through your advanced knowledge of structural engineering, and at least several days of work, you find a weak point in the wall that would allow for easy, noiseless drilling, allowing their vault to be emptied in ten minutes.
I agree completely that Yahoo doesn't owe them a penny, and it would be reprehensible to find a "different market," as the grandparent alludes to. But it's not quite the same.
I don't know if OP is advocating it, per se, but those marketplaces do exist. Even though it's morally and legally wrong, there is an incentive to sell exploits to the bad guys, instead of disclosing them to the company.
The analogy is a bit off, as 'a beer' is relatively good compensation for the disclosure of the car-key vulnerability, compared to the potential black-market value, and the potential loss to the owner.
With this example, it's more like you told your neighbor about his forgotten keys, and they gave you a nickle and a pat on the head.
A beer for the 3 minutes that you take to notice the key and tell him is about $120/hr.
By contrast, assuming the vulnerability in Yahoo's system took just one work week, their offer was $0.31/hr. That's 384 times worse than your neighbor giving you a beer for finding his key.
This is why your neighbor gets his key back for a beer and people are recommending black marketing Yahoo's vulnerabilities.
I don't understand what Yahoo did wrong. They didn't have to pay a cent but they did. I understand that it is nominal, but it is better than nothing. I guess just not in the case where the press can get a hold of it.
Putting a dollar amount on anything signals value perception. 12.50$ is a lot worse than a warm welcome, or other free rewards like public acknowledgement, because it says Yahoo really couldn't care less about finding such bugs.
> To add insult to injury, they can’t even order a burger with their bounty, which can only be spent at the Yahoo Company Store
Yahoo gave them $25 in store credit at Yahoo.
I'd rather have gotten a nice letter, because that kind of "compensation" is as much trying to attract business to Yahoo products as it is trying to reward me.
In all likelihood, they'd have earned at least 10 times as much spending the same number of hours at Burger King, and probably over 100 times as much selling the flaws.
Grossly underpaying is much more insulting, because it says directly what they value your work at, than not paying, which may simply be a policy of not handing out rewards for that kind of behavior.
Perhaps the idea was to say "hey, thanks, here's a tshirt. Instead of us picking one, you go ahead and pick out any one you like." Or is a letter and a novelty gift also an insult?
Picking out a novelty gift would be fine, you could even have put some thought in to what it would be; acting like giving me the funds equivalent to a novelty gift is a reward tells me the precise dollar value you attached to my work, which is insulting.
The funds are considerably more impersonal than simply giving a gift and demonstrate in a concrete way the low value it was given by Yahoo - not even worth a personal email to ask about tshirt size/style.
I think he is saying that a letter an no money would be better than a letter and a pathetic amount of money. Getting a pathetic amount of money is more insulting than not getting any money.
My understanding is that nobody hired these guys to do anything and no bounty was offered for anything. So why should there be any expectation for a financial reward?
Security researchers' time is valuable. They spend their own time trying to find vulnerabilities that black hat hackers would use against their users, possibly at a profit. They report it to the company giving them a chance to fix their problems. It's called responsible disclosure, and the compensation keeps the smart guys on your side.
It doesn't even have to be monetary - for example, GitHub maintains a list[1] of people who have responsibly disclosed vulnerabilities, and they often send them a shirt or something similar.
This sounds remarkably like how the squeegee men operate in a big city. Oh, hey, I just washed your windshield, you owe me some money. No? Oops, terribly sorry about that scratch as I walked by.
Except the squeegee men offer a service that you don't really need, and doesn't offer you much value. Responsible disclosure to a company is often much more important than a clean windshield is to you.
"Each of the discovered vulnerabilities allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her clicking on it."[1]
Or threatened litigation, the hallmark of companies who have no clue about security policy.
Edit: the parent was deleted while I posted this but the gist was that 5-10 years ago all you would get for reporting an issue was a thank you and maybe a T-shirt.
I mean, I appreciate the effort and the time, but just because you run a large web service or any web service doesn't mean that I should pay you for vulns. You should receive my gratitude, anything more than that is being extra nice.
Now, is there value in posting that there is some bounty for these things? Will it result in better, more frequent disclosure and give me the ability to close holes before someone nefarious comes along? Absolutely. Until I do that, people shouldn't speculatively be doing research and then retroactively bitching about how little they got paid.
If you do work like that, please let me know, I've got some projects you can work on that I might decide to pay you for.