
Bounty hunters are legally hacking Apple and the Pentagon - EvgeniyZh
https://www.theguardian.com/technology/2016/aug/22/bounty-hunters-hacking-legally-money-security-apple-pentagon
======
nstj
There's a great episode of the security podcast "Risky Business" which
profiles the featured security researcher in this article[0]

[0]: [http://risky.biz/RB406](http://risky.biz/RB406)

------
DyslexicAtheist
you can reduce the costs of infosec consulting by combining it with bug-
bounties.

The more prominent the brand/company the more people will want to find vulns.
Especially when you're not the Pentagon or Apple but some no-name vendor
nobody ever heard of. In that case you won't get the same value out of it.
They're not a replacement for regular professional security audits. Really
crucial for small firms who think they solve all problems with a bug-
bounty[0].

The "market" currently dictating the amounts offered in bounties doesn't
really reflect level of risk[1] associated with vulns. And IMO never will.

Bug-bounties aren't new, but the professional way and scale in which they're
organized is new (crowd-sourcing really works here). So I'm pretty excited to
see how this evolves.

[0]
[https://twitter.com/CopperheadOS/status/753253574184951808](https://twitter.com/CopperheadOS/status/753253574184951808)

[1]
[https://twitter.com/rantyben/status/753080683657060353](https://twitter.com/rantyben/status/753080683657060353)

------
update
biggest news here is that Apple now has a bug bounty program

~~~
Esau
It was announced earlier this month:

[http://www.nytimes.com/2016/08/05/technology/apple-will-
pay-...](http://www.nytimes.com/2016/08/05/technology/apple-will-pay-a-bug-
bounty-to-hackers-who-report-flaws.html?_r=0)

[http://www.slate.com/blogs/future_tense/2016/08/09/why_apple...](http://www.slate.com/blogs/future_tense/2016/08/09/why_apple_s_bug_bounty_program_is_unlike_any_other.html)

------
dang
Url changed from [https://www.technologyreview.com/s/602224/a-bug-hunting-
hack...](https://www.technologyreview.com/s/602224/a-bug-hunting-hacker-says-
he-makes-250000-a-year-in-bounty/), which is pretty much entirely cribbed from
this.

Submitters: the HN guidelines ask you to submit original sources. When one
article is copied from another, please submit that one instead.

