

How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole (2012) - hbhakhra
http://www.wired.com/2012/10/dkim-vulnerability-widespread/all/

======
hbhakhra
How can someone monetize on a finding like this? This vulnerability easily had
a value of millions to Google, Amazon, Yahoo etc, but how could Zachary Harris
have made money of his discovery?

~~~
simoncion
> This vulnerability easily had a value of millions to Google...

Did it? Any competent computer programmer or competent mathematician with a
passing knowledge of crypto would understand how weak that 512 bit static key
was. This was clearly an oversight, rather than a subtle bug.

~~~
hbhakhra
An oversight is still a vulnerability. I agree it didn't take some over the
top technical knowledge to discover it, and a 512 bit static key was known to
be vulnerable, he exploited it and showed it to be vulnerable. A widely known
bug that is in your code is still a bug.

~~~
simoncion
You... clearly failed to understand my comment. I was addressing your claim
that "This vulnerability easily had a value of millions to Google...".

I argued that it did not. This was the only thing that I argued.

I don't understand why you're telling me that a security oversight can lead to
an exploitable vulnerability. I never claimed otherwise.

