
Interview with StrongWebmail's $10,000 Hacker - vaksel
http://www.fireblog.com/exclusive-interview-with-strongwebmails-10000-hacker/
======
vnuk
Is it just me, or I don't see anywhere in this interview that they actually
paid up...

~~~
TallGuyShort
I was wandering the same thing - I remember their blog said "they were
investigating whether or not contest rules had been followed". Which is kinda
stupid, since attackers don't follow the rules, and could make more than
$10,000 by NOT telling you about the vulnerability.

Anyway... I really appreciate his emphasis on never expecting things to be
"bullet proof". People need to remember that more.

------
bayareaguy
This is a great hack. The company received a message claiming details proving
an XSS vulnerability, but the details did not in fact exist until they
followed the instructions in the message _with the vulnerable interface_
meaning that in effect the email acted like a call to a function returning a
promise[1] which was fulfilled when the message was read.

1- <http://en.wikipedia.org/wiki/Futures_and_promises>

------
TheSOB88
Cool stuff, but I disagree with Lance's last word. The public ( _not_ the
technically inclined) is going to expect "bullet proof" performance, so saying
you aren't is going to hurt you.

------
sanj
Is anyone interested in the value provided by Firehost? They seem to have the
expertise.

~~~
greg_gti
Firehost is a new company but their advantage is they built their
infrastructure starting with Security and that's their core focus

