> Disclaimer: Amazon doesn't have a bug bounty program and didn't offer anything other than thanks and gratefulness for bringing the vulnerability to their attention. Blizzard Entertainment (as the copyright holder for the book I was testing with) has also been notified of this vulnerability and has offered a small gift but never fulfilled that promise.
I'm not surprised Amazon would pay with nothing more than a nice email. What's more surprising is that Blizzard would give the author the shaft like that. They're usually pretty good about this sort of thing.
If you find that someone forgot their car door open, do you deserve money for not telling thieves where you can find a car with an open door?
Bug bounties are a good incentive for hardening your security, but is exploiting flaws the moral thing to do by default? Does there need to be a monetary incentive for people to do the right thing?
I run a service that has a few users and makes about $200/mo. Someone once emailed me that they found a bug and whether I run a bug bounty program. I told them I couldn't really afford one and they never replied. Are they now morally justified to publicize the flaw?
Your analogy has cause and effect reversed. The correct analogy is that if I know there is a reward for telling people their car doors are open, I will go around town specifically looking for open car doors. With no reward, I'm just going to go about my life not even looking at car doors.
Your service may be too small for this, but a company like Amazon typically saves money overall by running a bug bounty program because uncaught bugs can be extremely expensive.
The GP said "the next time someone finds a bug", ie the assumption is that a bug has been found. They didn't talk about whether bugs would be found or not.
That being said, your analogy is broken and doesn't fit here at all. First, parking lots are passive and have no intelligence. Amazon is neither of those things. Also, there are no such people who dedicate their career to lawfully testing the security of parking lots in exchange for money.
In the real world of mega corporation technology (which is almost as different from a parking lot as you can get) there are countless black hats motivated by money to steal from Amazon, and countless grey hats who would help combat or mitigate the issues if properly compensated. White hats are the rare exception and report issues even without compensation.
There are numerous grey hats who:
1) If there is a bug bounty program, would report the issue to be fixed
2) else, would ignore the issue entirely.
You know this is true because you experienced it yourself. The difference is you can't afford the service of a grey hat.
So forget the morality of these hackers.
Amazon refusing to pay out a bug bounty program is amoral. Because what you're seeing is Amazon trading the security of their customers, and for what? Greed and hubris it seems.
Not at all similar. One is leaving open the door to your own car. The other is someone who is being entrusted with keeping something safe for third parties "leaving the door open", i.e. being in breach of that trust, and essentially saying that they don't give a frack about their infraction.
So how can Amazon be sanctioned for this infraction?
While I also don't see "breaking in" as necessarily a great option, it may be less bad than letting Amazon just get away with it. Unless there is a good way to fine or otherwise sanction Amazon, I am not sure there is an actual good option.
Does that make it moral for someone to disclose the bug? "This parking lot leaves cars unlocked, but since they seem busy and aren't paying me not to, it's okay if I tell thieves about it".
>If you find that someone forgot their car door open, do you deserve money for not telling thieves where you can find a car with an open door?
Conversely, if you accuse the person who tells you the door is open of stealing from you and threaten to call the police, should you really be surprised if next time that happens they tell someone, maybe in exchange for a cut of the profit?
Sorry, that's ridiculous and borderline extortion. Sounds like protection money for the mob.
If there's any entitlement, it's within the small but vocal subset of security researchers that feel that unsolicited bug finding should be compensated under threat of public disclosure.
Yeah, I remember interviewing just after the merger when they opened the Cork office. I was 17, flew to Ireland, and the guy who was supposed to interview me face to face had taken a late lunch, so I got interviewed in about 5 minutes by someone who was clearly not interested, and it then took them 6 months to get back to me.
Are you sure? In their latest COD loot boxes do not contain anything pay to win. Same with Overwatch which falsely gets blamed for the whole lootbox thing we have going on atm - https://youtu.be/PTLFNlu2N_M
Destiny2 had some issue with theirs but didn’t they listen to the community and fix those.
I’m not a fan of loot boxes but their are not as bad as others in the industry.
Which was a feature in games before WoW but isn't a pay to win mechanic as you can not pay for "drops". WoW for the longest time refused to have a real money gold shop as was more that people were buying in game gold from 3rd parties anyway so might as well make a safe way to do it (which isn't a direct cash for gold transaction, more that another player has to buy your game time token, but that will usually happen within 30 mins).
As for hearthstone I would lay the blame more at Magic: The Gathering Online personally (though not the first), but I see you point that the game has very popular and became the "cardboard crack" that IRL Magic was (Atleast with Magic: The Gathering Online you could trade / sell your online cards with others until you piss off WotC and they nuke your account).
another similar recent move was the widespread disdane mobile Diablo got at blizzcon, fun YouTube clips of that.
My point about the drops is that skinner boxes are dangerous. My RA flunked out due to wow. Some small group of people really struggle with casino stuff
> Oh cmon some guy breaking into others system feels entitled to want cash prize.
I don't think he was specifically seeking a cash prize; he reported it to Amazon despite them not having a standing offer for such prizes. Also, aggregating the results of searches that Amazon specifically allows is hardly "breaking in"
> He should have been sent to prison for this.
That seems like a recipe for Amazon having a lot more security holes (which is probably why Amazon won't seek damages here).
> Breaking into someone's house is theft regardless wether owner forgot to lock the door.
No, taking someone's property is theft. Nothing was stolen here.
> Let's just break into neighbors house and tell them that their door failed against the latest gen plasma cutter. Now pay us bounty for this finding?
This leaves the door damaged. Nothing of Amazon's was damaged here. Also the door is (probably) not expected to be robust against plasma cutters. Amazon thanked the author of the post for bringing this to their attention.
This is more like "Your neighbor has a early 2000s Kryptonite bike lock and you show them it can be opened with a Bic pen[1]. They thank you and get a different bike lock"
Idk, to me your mindset seems mad. There are bad actors in the world we all know that. So if you ran a online company and I was your customer I should expect that no one will attack your company because it is illegal? And you would not take steps to protect your company because attacking it would be illegal? Saying out loud sounds crazy. There is no legality when there person stealing my data may be in Russia, or China, or India, who may be an individual, an organized crime ring or state actor. The internet does not care about your legality. So by offering a bug bounty program you are at least showing some interest in the white hat people not working to screw you over when in many circumstances it would probably be much more profitable for the bugs to be exploited or sold. Why would you want to send this type of person to prison?
That's how these things typically work. So long as he explored the vulnerability and reported it ethically - and there are both laws and industry norms about that - than typically a small cash bounty is paid if the bug is serious. This is because you want hackers to report vulnerabilities to you so you can fix them. It's more like returning someone's wallet. You give the person a couple of dollars for their trouble. A company like Amazon, you definitely expect them to have an explicit bug bounty program. This system is good for both consumers and businesses and there's no reason, even if purely from a business calculus perspective, not to throw someone a few bucks for the professional reporting of a vulnerability.
Bug bounties are a) professional courtesy to say "thanks for telling us" and b) a way to incentivise someone to write up the bug report.
Otherwise, if I as a white hat discovered this bug, I might just not bother reporting it. I wouldn't exploit it, but the next guy might. Hence, bug bounty programs.
Interesting, the "stitch together a bunch of substrings of a large string" task also comes up in DNA sequencing: the physical process basically randomly samples a bunch of snippets that are each a few hundred bases long, and you need to use software to detect overlaps combine them into one long sequence. It's a pretty heavily-researched computational problem, I believe. The author's simple algorithm seems to have worked, but I guess the DNA case is harder because you don't really have the "page number", you have a lot more snippets to combine, and snippets may have errors, with more errors occurring toward the ends.
Of course, back then it was the norm to publish this information in a place for those seeking information or otherwise "keep it tight", and not instead let them tighten the nooses around our necks by instantly snitching to the company for the hope of a paltry monetary reward...
I think you should consider that some people need money more than a goofy clandestine comradery with other “information seekers” on the internet and also that bug bounties frequently exceed “paltry.”
This is sort of tangential, but: it doesn't make any sense that there's OCR going on in that process. Surely Amazon could just ask for the digital version of the book as a requirement for SearchInside participation?
Not sure how the specifics of this works on amazon but when I read it initially I assumed the results were returned as images which seems to make a little bit more sense, although possibly not that much.
Although reading it again it does seem to be quite unclear...
I'm not surprised Amazon would pay with nothing more than a nice email. What's more surprising is that Blizzard would give the author the shaft like that. They're usually pretty good about this sort of thing.