Hacker News new | comments | ask | show | jobs | submit login

I'm not sure I understand some of the comments here claiming that 10k is not enough money for this. It clearly is enough money because Orange found the problem and reported it.

These arguments always remind me of people claiming that certain professions are not paid enough. They forget that there is a market for labor and in this case the labor is finding vulnerabilities. People will either be willing to work for the posted price or not. In the case of pen testing facebook I'd be willing to bet there are plenty of people out there looking for bugs who aren't even really concerned with what the final payout is going to be.

Yeah, they could have gotten completely owned if he didn't report this. But to him reporting it and getting 10k in compensation was sufficient. Why would facebook pay him a million if he was willing to take 10k?

It was enough for Orange. But think about demand elasticity. Perhaps there are 100 other Oranges for whom the bounty was not enough.

Clearly the bounty was not enough for the mystery attacker / researcher / hacker / whatever that Orange discovered exploiting the same hole.

From Reginaldo's post it appears that it was another bug bounty guy who was the mystery attacker.

I personally find it a little difficult to believe that this was a security researcher. Exploiting a vulnerability (against the rules of engagement), _and_ uploading a web shell?

Seems more likely that Facebook wasn't thrilled that Orange included the details of an existing, unknown Facebook compromise in his write-up.

that's understandable

There are two markets for this type of labor: one provided by the bounty programs and one provided by those who want to abuse the vulnerabilities, eg: secretive three-letter-agencies, etc.

I would imagine that the latter of the two is almost always willing to pay more. I would also imagine that by the time you're a skilled pentester, you're in your mid-to-late thirties and maybe are worried about how you're going to put your kids through college, or how you're going to retire.

So what do you do? Do you take the larger sum of cash and plague yourself with worrying about bitcoins, how you're going to lie on your taxes, and deal with the ethics of helping shady organizations?

Or do you help the company? Now you don't have to lie on your taxes or launder bitcoin, but you do have the pressure to find more security problems to make enough cash to meet your financial needs.

And the ball is solely in the court of the companies running bounty programs-- if they were to always provide more money than the black market, there's virtually no reason to bring it to someone else.

I don't think it's unreasonable for them to not want to give away more than they have to, but I get the sense that there's little to no negotiating power for the vulnerability finder-- and they should probably work on that.

No, there isn't. Message board nerds love to try to reason through vulnerability valuation, but the reality is that there are very few people who will pay for serverside vulnerabilities at Google or Facebook (or anywhere else).

The reason is that for a vulnerability to be worth money, someone needs to have a business process ready to go to monetize the vulnerability. Without that proven process, a vulnerability is just like any "Show HN" without a business model or revenue.

There are certain kinds of vulnerabilities --- browser code execution, most notable, but a couple others --- that organized criminals have whole businesses set to drop in and run and make money with. If you have one of those vulnerabilities, you've got lots of takers for it, and the prices for those vulns are nosebleed high.

There are a few kinds of organizations that will pay for a Facebook serverside RCE. Good luck finding them. Or, I should say, not finding them. Those same organizations will kill you and your whole family just to make a point. That is, after all, the only reason they want to buy Facebook serverside RCEs.

Because the pay scale is subjective and the reporter doesn't know the amount before they report. FB and others have guidelines for their bounty programs that leave an upward bound open for severe vulnerabilities.

The argument these comments are making is that this report should qualify in some way for a higher payout.

I'm not arguing for either side here, just noting that the comments that you refer to are fairly reasonable.

There is an implicit "without exploitative downward pressure on wages" clause to the sentence every time people say "_______ isn't paid enough"

You forget that no assertion of values makes sense when divorced of context.

There is no free market of labour. Under penalty of death you are forced to sell your labour. Ultimate buyers market.

Companies die without employees too!

A little more seriously, somehow we have to find language for different types of coercion. Otherwise we'll end up lumping the whole complicated world into one lump.

I could choose to sell a different form of my labor, like my ability to perform physical labor instead.

This is a beautiful summary. Thank you. I will be stealing this.

You can run your own business.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact