
4chan announces vulnerability disclosure program  - forlorn
http://blog.4chan.org/post/84931784192/announcing-4chans-vulnerability-disclosure-program
======
eggbrain
Key terms:

For each eligible vulnerability report, the reporter will receive:

* Recognition in our Hall of Fame.

* Either $20 in self-serve advertising credit valid for one year, or a 4chan Pass valid for one year ($20 value, subject to Terms of Use).

~~~
moot
The goal was to create a framework through which people could safely test and
report exploits. In addition, 4chan isn't in a financial position to dole out
large bounties.

~~~
rdl
I think the Hall of Fame is worth more than the $20.

This is one of those cases where the $20 is probably worse than $0, though
(even though it's non-cash). It's like "hey, friend, will you (help me
move|have sex with me|etc)"; more likely to do it as a favor than when $20 is
offered. Probably even _more_ likely to do it for $1k than as a favor.
$1000>0>$20.

~~~
michaelbuckbee
I remember on one of the early StackOverflow podcasts that Joel very
specifically wanted to stay away from any kind of monetary compensation for
answering questions because as soon as somebody tries to do a $/time
equivalency in their head the whole thing looks like a rip-off.

Much better to frame things as a way to show off to peers, help the community,
etc.

~~~
sillysaurus3
When it comes to security vulnerabilities, hackers usually sell them to the
highest bidder, which is why it's good for the highest bidder to be the bug
bounty program. Recognition is nice, but money fixes problems.

~~~
icegreentea
I honestly don't think there are many situations where the highest bidder for
a bug will be a bug bounty problem. Consider from a couple year's back when
Vupen won Pwn2Own against Chrome, and Vupen refused to disclose, based on the
commercial value of the exploits. The key quote (and I don't think he's
exaggerating) is: “We wouldn’t share this with Google for even $1 million,”
says Bekrar. “We don’t want to give them any knowledge that can help them in
fixing this exploit or other similar exploits. We want to keep this for our
customers.”

[http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-
th...](http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-
who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/)

~~~
sillysaurus3
Thank you for the wonderful article! If anything, this is more evidence that
money is more important than recognition, so bug bounty programs had better be
lucrative.

It seems like if Google were to offer a $1M bug bounty tier, it'd be much more
likely that Vupen's exploits would be discovered by someone else.

------
ctb_mg
I think it would be a very good idea for moot to bite the bullet and pay for a
moderately thorough security audit of 4chan's code.

This one-time investment would hopefully resolve most of the major/obvious
security issues. Then the code could be open-sourced with moderate confidence
that a million 0days would not be exploited instantly -- and the community can
catch the obscure holes.

~~~
moot
> I think it would be a very good idea for moot to bite the bullet and pay for
> a moderately thorough security audit of 4chan's code.

Where/who would you suggest? I'm certainly open to the idea.

~~~
sillysaurus3
Matasano: [http://www.matasano.com/](http://www.matasano.com/)

It's a well-respected security firm that's been around for a long time.

------
bvttf
Sad this isn't an announcement of a new /0day board that serves as a pastebin
alternative.

------
eyeareque
This is great. Before long it will be more rare for a site/company to not have
a bounty program vs. having one.

------
heinrich5991
Is the host down?

~~~
Sir_Cmpwn
Do you have HTTPS Everywhere installed?

~~~
heinrich5991
Yes.

~~~
Sir_Cmpwn
Well, take that information and use it to determine what you should do to
solve the problem.

~~~
heinrich5991
Thanks, worked! :)

