
So I’m the guy who sent the t-shirt out as a thank you - jnazario
http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you
======
emhart
I not only appreciate what they are trying to do moving forward, but also the
entirely good natured, reasonable tone of the whole message. He explains
without getting defensive and, in my opinion, helps Yahoo come out of this
with a potential PR win. Well done.

~~~
abraxasz
After reading the first sentence of the post, I paused and tried to imagine
what would come next. I had three guesses:

1) A clean, unconditional apology, like: "I screwed up, I'm going to fix it".
I had very little hope since people don't often admit this type of things.

2) A defensive apology (that is, not really an apology): "Yeah I kinda screwed
up a tiny little bit, but really it wasn't my fault, the predecessors..."

3) A smart-ass offensive strategy: "aha, you don't get it, our t-shirts are
really cool, you should be happy that we even offer gifts and recognitions,
you ungrateful bastards"

My ideal answer would have been 1) of course. Turns out, he exceeded my
expectations (I'm the cynical jerk, here). He was a good guy in the story,
explained the situation without fake apologies, or anything. Great answer.

~~~
dccoolgai
Word count for "sorry" or "apologize" in that article: 0.

 _That_ is PR jiu-jitsu. Make everyone feel good, make yourself look good and
don't even use the word "sorry". Of course, it helps that you were "in the
right" to begin with, but deftly handled, nevertheless...

~~~
gmisra
What behavior should he be apologizing for, in your opinion?

~~~
PeterWhittaker
This. He bought shirts - and gift certificates, etc. - with his money because
they didn't have any other way to thank people.

He also wrote thank you notes.

Very old school. My grandmother would be proud.

T-shirt-gaters need to lighten the heck up.

~~~
devindotcom
This is one of those situations where, since you're responding to a question,
the "This." format of answer makes your comment unclear. Just FYI - it sounds
like you're listing the things he should be apologizing for (although that's
not the case given context, obviously).

------
elliottcarlson
(Note, I technically work for Yahoo - but this is all personal opinion)

Great on Yahoo for putting a reward program in place, but when did everyone
become so entitled to getting something for reporting a bug/security concern.

If you stumble on to an issue, and you are a good person, submit the report.
If you are looking to make a living off of finding bugs, go directly to the
companies that actually have a reward program in place. Don't be mad when you
get a thank you gift that wasn't what you expected. Don't get mad at your
security report not meeting guidelines.

~~~
forgottenpass
_when did everyone become so entitled to getting something for reporting a bug
/security concern_

Sometime around the point where:

\- Yahoo!'s competition started offering bounties, and

\- "Entitlement" became a rhetorical tool to dismiss discussion of any
business practice that might cost money

~~~
elliottcarlson
This has nothing to do with Yahoo - this has to do with every time there is
someone complaining about them not receiving the bounty they wanted - and in
this case about getting a t-shirt as a thank you. I am happy Yahoo is putting
a reward program in to place - but the general commentary from the community
annoys me.

~~~
thaumaturgy
It's simple pragmatism. I'd expect that HN, of all places, would get this.
(And most seem to.)

You are a security "researcher". Maybe that means you work with a group of
bona-fide professionals, maybe that means you're still in high school.

Either way, you have the capability to break things. But, breaking things
isn't trivial; you don't expect to spend a few minutes "poking around" and
come up with something, especially something interesting.

So you have some choices. You can: try to break things which will give you
rewards proportional to the time you spent and the severity of what you find;
try to break things which will give you almost no official reward at all; or
try to break things and then sell the solution to the highest bidder or make
use of it yourself. (Let's assume that people aren't generally in the habit of
working for free.)

Now then. You're Yahoo, with millions of user accounts and a not-great track
record for security. What would you prefer for the hacker to do, and how would
you incentivize them to do it?

You can gripe about "the community" or "entitlement" all you want -- until it
becomes sufficiently annoying or unproductive -- but that won't change the end
result, which is that companies which give substantial rewards for bug
bounties are creating a marketplace where they win by getting lots of good
talent to examine their systems without paying by the hour or day for it _and_
the company gets first dibs on the details of the bug.

Companies which don't do this, lose.

~~~
drharris
> Companies which don't do this, lose.

 _People_ lose. As in, real flesh and blood people. Everyone seems to think,
"Ah, they'll just sell it to the highest bidder." You know what, screw that
belief, and screw those people who think that way. You do that, you become
evil. End of story. Should it be the company's job to ensure this doesn't
happen as best as possible? Yes. Does the lack of a reward justify the
demonstrably evil behavior of selling vulnerabilities? No. Sick and tired of
the idea it's ok to sell a vulnerability wherever the money is. When is the
computing community going to step up and put an end to morally wrong behavior
like this? We need to ostracize those people, not condone and justify such
behavior.

~~~
shawn-furyan
I agree. I think the problem is conflating the dark grey market[1] values of
vulnerabilities with their white market values.

Reportedly there is a lot of money in the security vulnerability dark grey
market at this particular moment in time, and that seems to be pushing up the
perceived monetary value of these vulnerabilities.

But if you think about it, it would feel an awful lot like extortion for a
researcher who's found a vulnerability to allude to the grey market value of a
vulnerability in a responsible disclosure discussion. This is kind of what the
community is doing by consistently bringing that point up in regards to
rewards for such responsible disclosures.

At the end of the day, if the researcher is virtuous, then the black/grey
market value of the vulnerability is irrelevant, and so acknowledgement of the
issue, followed by rapid action to close the vulnerability, and optionally, a
token of appreciation is plenty of reward for the disclosure from a moral
point of view.

Now, I'm not naive. I believe that people respond to incentives and when
you're talking about incentives, then the black/grey market values do come
into the calculation. But that's a purely amoral and pragmatic optimization
problem, and therefore not a proper object for the moralizing that we've seen
regarding these programs.

I don't have any particular issues with pontificating about how a particular
company could be more effective if it increased its bug bounty rates[2], but
any pseudo-moral outrage is hollow because it's founded on the assumption that
moral and immoral disclosure are relatively equivalent options.

[1] That is, it's not always technically illegal, but I think that the market
is fairly universally regarded as antisocial if not a major threat of the day.

[2] Though it would be very difficult for a company outsider to actually
accurately determine the value of responsible disclosures to a company. There
are a whole lot of vulnerabilities in complex software, and really, any
particular disclosure is essentially worthless. I would imagine that the real
monetary value of a given disclosure is orders of magnitude less valuable to
the vulnerable company than it would be to a potential attacker. For the
vulnerable company, they still have a vulnerable product after fixing the
particular vulnerability, but for the attacker, they have a successful attack
vector by having knowledge of the particular open vulnerability. Also, I can't
imagine that the value of a particular vulnerability is proportional to the
company's revenue/valuation/etc. which is the metric that seems to always be
trotted out when talking about how a particular company's reward program is
not generous enough, especially with regards to "billion dollar companies"

------
drharris
People who imploded over this should be embarrassed. Here's a guy who was
doing more than the company policy just to be nice, and everyone turns into
complainypants over their perceived entitlement. Good on the company for
course-correcting and instituting a proper reward program, but the way this
was handled by the technical crowd is embarrassing.

~~~
badman_ting
The apology is a good one, and I feel bad for this person. But I don't think
that retroactively changes how bad this looked originally.

~~~
drharris
It looked bad at first glance, but keep in mind they had no bug bounty
program. Information about vulnerability reporting never said there would be a
reward. Security bounties are a fairly recent trend, and I'd wager 99% of the
web has no such policy in place. Maybe we expect the bigger companies to have
one, but there's no guarantee. In the end, when no bounty is promised up-
front, you can either take the low road and sell it on a forum, or take the
high road and enjoy your T-shirt. Whether or not you're a good or bad citizen
is up to you.

------
daeken
As a security researcher and someone who regularly participates in bug
bounties, thank you. You didn't have to do what you did, but you did it
anyway, just to be nice; that should be applauded, not criticized.

Remember everyone: if there's no bounty program in place, reporting bugs means
that your expected value for those bugs is $0. If you get more than that,
that's awesome, but don't expect it, or act like it's deserved; it's not.
Enjoy your Yahoo swag and go on with life.

~~~
tomjen3
I am fine with getting nothing, but I will get angry if you insult me after I
just helped you. And telling me my skills are worth less than minimum wage
(assuming it took more than 3 hours to find the bug _is insulting_).

~~~
x3c
I spent 10 minutes reading your comment, parsing it and then responding to it.
You owe me $5.

~~~
chris_wot
You spent _10 minutes_ reading that comment before you understood it?!?

------
forgottenpass
A t-shirt is a great gesture from a dude, but a terrible one from Yahoo!

It's too bad that, in his role, he was or appeared to be acting on behalf of
yahoo. The impermeability of corporate behavior meant nobody on the outside
really knew the difference before now.

~~~
frankdenbow
This can work well from a company also, its just that expectations should be
met. We (Startup Threads) ship out shirts via API for companies and its
overwhelmingly a positive response for recipients, as its done as a thank you
for something that normally doesn't elicit a payment/attention (like bounties
for vulnerabilities would)

------
ximeng
[http://matthewshapiro.tumblr.com/post/62962519266/yahoo-
deve...](http://matthewshapiro.tumblr.com/post/62962519266/yahoo-developer-
network-so-im-the-guy-who-sent-the)

I really don't get the response above.

~~~
droopybuns
No joke. What an unmitigated douchebag.

I work with so many people who have no hustle. No compulsion to go above and
beyond the constraints of the situation.

This position openly advocates that employees should only be workerbee drones
who stay within the rules of their corporate overlords

and/or

Only succeed, never make mistakes.

Both are fatally toxic attitudes. Fuck Matthew Shapiro.

------
jnazario
note: ramses is a friend.

so while i can't speak for him, what i can say is that i've known him for many
years, worked closely with him on very large, global issues, and have found
him to be a very standup, forthright guy who strives to make the world a
better place.

~~~
sjtgraham
It's very nice that he bought t-shirts at his own personal expense. He comes
over as such a conscientious person that I feel bad "t-shirt-gate" happened.

------
eloff
If I were a security researcher and put a lot of effort into finding
vulnerabilities for Yahoo I would have simply sold the exploits to the highest
bidder, and invited Yahoo to participate in the auction. If they lost, then
I'd go to the press with the story of how little their user's security means
to them (again to the highest bidder.) Either way, (only in the long run in
the second case), the users win and I'd sleep like a baby.

It's just as well I'm not a security researcher.

Edit: Wow a lot of drive-by-downvotes. I'm not serious guys, but I hope I have
made some people think about the moral issues involved. It's not as clear as
people are making it out to be in other comments on this post.

~~~
peapicker
Pretty mercenary. What you propose is not ethically neutral... it is akin to
blackmail.

It saddens me to see so many who feel this way.

~~~
eloff
If it leads to a better outcome, does it matter that it's blackmail? It's the
age old moral question of do the ends justify the means. Like most moral
questions the correct answer is not yes or no but "it depends." The real loser
here would be the company with the retarded security policy, and they deserve
what they get. If they have a bug bounty program, then naturally the ethical
thing is to report the bug through the correct channels. If they don't then
their users are the ones silently paying the price. If you wanted to be
squeaky clean you could simply refuse to accept the highest bid if it wasn't
from the company. In that case I really see no moral downside.

~~~
wmt
While the users would be paying the price, it would happens because you
actively made the users suffer because you were not paid enough.

Even sitting on it is immoral, but in a lesser way. Users would then only lose
in the case someone more malicious finds the same problem.

------
gadders
No good deed goes unpunished.

------
umsm
I feel like this is a stupid question, but: Why would people get mad at him
for sending out t-shirts (i.e. tshirt-gate)?

~~~
k3n
Because it's pretty much an industry standard now, for those with a prominent
web presence, to have an official bug bounty program[1]. Google, though likely
not the first, is one of the more prominent companies to offer this -- and has
been for several years -- to the tune of $100-$20,000[2]. A $10 t-shirt is
laughable compared to that, to the point of almost being insulting.

Was it poor form to expect grandiose payouts from a company without a bona
fide bug bounty program? I think so.

Is it even sadder that, up until publicly shamed, Yahoo had no bug bounty
program whatsoever? Definitely.

1\. [https://bugcrowd.com/list-of-bug-bounty-
programs/](https://bugcrowd.com/list-of-bug-bounty-programs/)

2\. [http://www.google.com/about/appsecurity/reward-
program/](http://www.google.com/about/appsecurity/reward-program/)

~~~
daeken
> Because it's pretty much an industry standard now, for those with a
> prominent web presence, to have an official bug bounty program

This is so wrong, it's not even funny. Bug bounty programs are awesome -- I've
participated in many of them -- but they're a _tiny, tiny, TINY_ minority. Of
the top 500 websites, how many have bug bounties? 10? That's not an industry
standard; it's a nicety.

That's changing, but seriously, there's absolutely nothing wrong with _not_
having a bug bounty program right now.

~~~
k3n
Aye, good point, perhaps I should have said "...is quickly becoming the
standard".

However, would it be fair to say that a majority of Yahoo's competitors have
bounty programs? Google, Microsoft, etc.

~~~
daeken
Microsoft has done some _extremely_ limited bug bounties, but zero on the web
side of things. Google, yes. But there are tons of major sites that don't have
them, even the engineering-focused ones. Twitter being a great example.

------
jevinskie
Sounds like they "got the picture" and changed their vulnerability reward
system overnight to closely match their competitors. I can't think of a much
better reaction than this.

------
homakov
As a bug hunter, I think initial problem is bullshit. There is NO POLICY about
rewards in Yahoo. Nobody has right to "beg" a reward. Especially for "yet
another XSS". Don't like the policy? Go sell that "XSS" if you can (nobody
buys it btw).

------
joshdance
I just felt the first bit of positive goodwill towards Yahoo I have felt in a
while. It is important to recognize that behind more company actions and
policies, there are people. Sometimes doing the best they can.

------
mknappen
Did Ramses Martinez have the authority to pay people who found issues and
instead sent tee shirts? Have people been paid in the past? If yes to both,
the "no good deed goes unpunished" and "I'm new here so lay off" response is
disingenuous. However, if there was no way Martinez could have paid bounties
or no history of payouts, the grumpy response to not being showered with cash
is unreasonable. (And perhaps Martinez, et al., already knew of this
particular vulnerability.)

------
jlgaddis
I'm still impressed that companies reward the reporting of security issues,
whether it's sending a small "thank you" gift, posting one's name on a "hall
of fame" page, or cutting them a check. In the mid-90's, I notified a company
of a major security vulnerability and all I got was a visit from the FBI and
my computer taken away for 16 months. We've sure came a long way!

------
650REDHAIR
Excellent post. Really loved the last line-

"This includes, of course, a check for the researchers at High-Tech Bridge who
didn’t like my t-shirt."

------
santosha
Good on them.

------
Ntrails
I don't know what the T-Shirt looked like, but I am imagining it is a "I
reported a critical bug that affected millions of users and all I got was this
stupid T-Shirt" kind of thing.

Which, frankly, was a pretty cool gesture of thanks from the person writing.
In a way I'd like them to keep the T-Shirts regardless of adding the monetary
bounty.

~~~
homakov
> I reported a critical bug that affected millions of users > XSS lol

------
willvarfar
Reminds me of Knuth sending cheques for corrections to his books; like
Picasso's doodles, pity the fools who cash them :)

------
ukjamster
Good result. Yahoo come out of this looking human and responsible. High-Tech
Bridge have helped raise security standards.

------
bhuga
A classy, concrete response in a human voice. This is exactly how great
companies communicate.

Putting together a bug bounty program for a company like Yahoo is a lot of
hard work with tons of tiny gotchas. It can take forever, and it's never ready
when it needs to be. Looking forward to it.

------
ianhawes
Anyone else catch that their security group is called "Yahoo Paranoids"?
Hilarious!

------
protomyth
I guess a Yahoo shirt isn't quite the recognition factor of a very small check
from Knuth. I dearly hate when someone spends their own money and basically
gets the shaft. People wonder why individuals aren't nice.

------
mgkimsal
A year from now people will be wanting the shirt instead of $150, because
it'll be 'cool' and a visible way of showing off instead of just having an
extra $150 in your account.

------
wavesounds
I like how Yahoo is paying someone to post gifs on tumblr every day:
[http://yahoomessenger.tumblr.com/](http://yahoomessenger.tumblr.com/)

------
Simple1234
I Google or Yahoo rewarded minor bugs. They should care about 404s or a tool
tip bubble with no tip. I find minor bugs on all major websites all the time.

~~~
freehunter
Problem is, minor bugs like a 404 don't majorly impact their operations as
much as being able to get into someone else's email or reset someone else's
password. Typos aren't worth anything when it comes down to impact to
business.

------
joelrunyon
Anyone else impressed someone actually came forward and said "it's on me"? Sad
to say it but this actually surprises me.

------
wesleyac
Thank you for reminding me to think before I start complaining.

------
truthyness
So, isn't it just totally precious how ENTERTAINERS like us begin our postings
with the completely unnecessary "So..." ?

------
post_break
Seems like too little too late. The tshirt thing might have been in good
faith, but wow was it a slap in the face. I wouldn't be surprised if exploits
were sold for less than what they could fetch from Yahoo as a sort of candid
rebellion. I'd love to see someone find an exploit, and then send Yahoo a
shirt.

~~~
biot
My neighbor left their front door unlocked while they were on vacation. I
kindly locked their door and notified them and they sent me a nice bottle of
wine in thanks. What a total slap in the face. A security vulnerability like
that, I should be entitled to at least a home-cooked dinner invite. Now if
you'll excuse me, I have a whiny blog post to write and I will also be
embarrassing myself on Twitter via a series of self-entitled rants showing to
the world how insecure I am.

~~~
jessaustin
So you're saying:

    
    
      neighbor family : nice bottle wine :: hundreds of thousands of customers : t-shirt
    

Hmmm. Your value function appears not to monotonically increase.

~~~
cnlwsu
do something nice for someone where they offered no reward : they gave me
something because they thought it was nice

do something for someone who never offered to give you anything but you
expected a thousand dollars anyway : they gave me something because they
thought it was nice

