I really think Dotcom is making all of the right moves here. I remember reading a multitude of comments from people on various sites saying that he would rip people off with his "vulnerability reward program" but here we are, Dotcom is putting his money where his mouth is and paying out the money. Mega is definitely a rising force and once the kinks are ironed out, Hollywood should be very scared.
Why on earth would someone suspect that? I mean, given Mega's cash:goodwill position, what would be their possible motive for welching out on a few $1000 bounties?
wait, how much money did he pay out to whom? what would be the point of not listing who is being paid nor what they're being paid except for deception?
Does it matter how much money he paid out and to who? Things are getting fixed by the looks of it. Do Google or Facebook release a list of names and how much they paid for their bounty programs? (I did a search, but couldn't find anything, so maybe they do). If Dotcom were to try and rip someone off, sites like Techcrunch would foam at the mouth to release a story like that. Everyone loves to hate Dotcom, the insinuation in your comment about deception proves this very fact (unless you have evidence that proves he is being deceptive and hiding the information for nefarious reasons?).
The people that would blow the whistle on this are people that report bugs, but don't get paid. If he claims to have paid people, but the 'people' and vulnerabilities are just fabrications, then only someone within the organization would be able to blow the whistle, no?
yes, amounts and names/handles are listed by google and mozilla - not sure about facebook.
To be clear - you think it's fine to cite the announcement of an undisclosed amount of money being paid to an undisclosed list of people as proof of their status as a good actor, yet you require concrete evidence that they are being deceptive for nefarious reasons to question his motives.
Well, there's the one email where they've offered 1000 EUR ($1336.20 at today's rates) for an XSS bug. It seems they've been following up on it, and you'll certainly hear about it if they don't.
Responsible disclosure includes protecting the privacy of everyone involved. If the people who have been awarded bounties want the publicity, I'm sure they will let us know who they are.
As already stated, Google's hall-of-fame is voluntary.
If you conduct any sort of business transaction with someone (and that's exactly what this is) a good business would assume that the transaction is private unless other arrangements are made with the other party. It's common sense and common courtesy.
If Mr. Dotcom asked first and then publicized the names, that's fine. If he made it a requirement of collecting the bounty, he's also within his rights. However, if he gave them the money and then disclosed their identities without asking them, it's would be an unprofessional thing to do. Not unforgivable, just unprofessional. Some people value privacy and anonymity. That's their prerogative.
I think most of the people saying "rip off" consider token $1k checks "ripping people off," considering implementing it correctly would require hiring talented engineers with expensive salaries. Given the giant holes punched in the original security implementation pretty much immediately after launch, he seems to have skimped on engineering talent preferring to instead pay these small bounties.
Sometimes even the smartest and most expensive engineers fail to find things 14 year old kids in their poster-laden bedrooms seem to be able to find these days... Google, Facebook and other tech companies seem to see the value in having a bounty program for security issues and bugs as well and by the looks of it, Dotcom is offering the same reward amounts as Google and Facebook are offering, so I guess by your logic Google and Facebook (two companies with larger amounts of money and smart engineering hires) are ripping people off as well? You are forgetting that Dotcom has to hire competent engineers to fix the reported issues, I doubt a lot of people finding the bugs and vulnerabilities are providing code samples and fixes to Dotcom. They're merely finding the holes and it's up to Mega to get their team of engineers to fix the issues.
> considering implementing it correctly would require hiring talented engineers with expensive salaries
Perhaps this is a new business model, replacing the traditional model of hiring expensive engineers to achieve secure software development? If this is true, then we should all move to this new model and the existing "talented engineers with expensive salaries" are simply overpaid.
I don't actually think this is true, but if it were, what would be wrong with it?
You could also provide all the source to your program to your customers, so they could see and modify it. With this, every customer who has the time and inclination to report and help with the resolution of a problem is like a new pair of eyes looking for bugs. It could be said that with enough pairs of eyes, all bugs seem eye-poppingly obvious.
I think we should call this model open-soars, because it lets your software soar in the open sky above the competition.
I'm like 99% sure they intentionally left a few 'low-risk' vulnerabilities which they knew people would uncover (and be rewarded for) to entice the big boys of security probing to roll up their sleeves and get to work looking for the really big ones.
In the long run, they're paying a reasonable amount of money for an army of security consultants to give the service a once-over. Smart!
Is it so implausible that they accidentally left a few low-risk bugs in such a rushed project? It would be pretty damn impressive if all those low-risk bugs were actually intentional.
You never have the option of releasing bug-free code. So if they released code with bugs, called it bug-free, and boasted about it, someone would come along, prove them wrong, and embarrass them.
