

15k? Heartbleed bug worth more like $1M - dpweb
http://run-node.com/15k-heartbleed-bug-worth-more-like-1-million/

======
runeks
Users, like the author of this blog, benefit from a secure SSL implementation
as well: it makes sure our data is secure. How much has the author voluntarily
paid to the person who discovered the bug?

It's quite easy -- and probably completely ineffective -- to come out and say
_someone_ should pay this man one million dollars. In my opinion, it's a lot
more helpful to shell out some money yourself, at least if you think other
people are obligated to do so.

I don't mean to say that this guy should just "shut up and pay up" \-- not at
all. My point is that it's often a lot more effective to, when something needs
to be done, do 1% of what needs to be done, instead of asking "other people"
to do 100% of it. If we all do the latter, nothing gets done, and if only 100
people do the former, it's done.

------
paulbaumgart
Bounties should work in principle: people who rely upon and care about having
a secure crypto implementation should be willing to put up money for bug
bounties.

Seems like people don't care enough to put up the cash. Why?

There are data breach insurance policies for sale. Why aren't these insurance
companies putting up bug bounties for responsibly disclosed vulnerabilities?
Is there a market gap here?

~~~
mithras
The other side of the market reportedly works much more efficient. Tons of
middlemen sourcing the latest 0days and paying more the higher to the top of
the pyramid they get.

