
As promised, Kim Dotcom starts payouts for Mega vulnerability reward program - Lightning
http://thenextweb.com/insider/2013/02/10/as-promised-kim-dotcom-starts-payouts-for-mega-vulnerability-reward-program-seven-bugs-fixed-in-first-week/
======
DigitalSea
I really think Dotcom is making all of the right moves here. I remember
reading a multitude of comments from people on various sites saying that he
would rip people off with his "vulnerability reward program" but here we are,
Dotcom is putting his money where his mouth is and paying out the money. Mega
is definitely a rising force and once the kinks are ironed out, Hollywood
should be very scared.

~~~
trotsky
wait, how much money did he pay out to whom? what would be the point of not
listing who is being paid nor what they're being paid except for deception?

~~~
DigitalSea
Does it matter how much money he paid out and to who? Things are getting fixed
by the looks of it. Do Google or Facebook release a list of names and how much
they paid for their bounty programs? (I did a search, but couldn't find
anything, so maybe they do). If Dotcom were to try and rip someone off, sites
like Techcrunch would foam at the mouth to release a story like that. Everyone
loves to hate Dotcom, the insinuation in your comment about deception proves
this very fact (unless you have evidence that proves he is being deceptive and
hiding the information for nefarious reasons?).

~~~
bbatsell
> Do Google or Facebook release a list of names and how much they paid for
> their bounty programs?

Names, yes; $, no.

[1]: [https://www.google.com/about/appsecurity/hall-of-
fame/reward...](https://www.google.com/about/appsecurity/hall-of-fame/reward/)
[2]: <https://www.facebook.com/whitehat/>

~~~
shared4you
$, yes. One of the Indians who was gifted by google:
[http://www.sandeepkamble.com/skl337/2012/12/28/vulnerability...](http://www.sandeepkamble.com/skl337/2012/12/28/vulnerability-
report-activities-gift/)

------
chris_wot
OK, I take it back. He paid out, not that he would have ever read my original
comment (or even this one), but I owe Kim an apology.

------
philliphaydon
Good on Kim for paying them out.

------
josscrowcroft
I'm like 99% sure they intentionally left a few 'low-risk' vulnerabilities
which they knew people would uncover (and be rewarded for) to entice the big
boys of security probing to roll up their sleeves and get to work looking for
the really big ones.

In the long run, they're paying a reasonable amount of money for an army of
security consultants to give the service a once-over. Smart!

~~~
dexter313
Why would you intentionally leave in potential vulnerabilities, if you
hypothetically have the option to release bug free code and boast about it.

~~~
LeafStorm
You never have the option of releasing bug-free code. So if they released code
with bugs, called it bug-free, and boasted about it, someone would come along,
prove them wrong, and embarrass them.

~~~
kristofferR
They wouldn't boast about it directly, simply having a bug bounty where no
bugs were found/reported would do the boasting for them.

~~~
chris_wot
The publicity wouldn't be as effective. However, I can't see them doing this.

