Hacker Newsnew | comments | show | ask | jobs | submit login

> The entire process was so flaky and frustrating that I haven't bothered sending them two XSS holes that I have also found in the past year.

You realise you're hurting innocent users much more than Facebook itself by not reporting them, right?

It's not his duty to report such things.

No one is "honor-bound" to report vulnerabilities; in fact, it seems unethical to expect any random person to try to fix any random problem they stumble upon, don't you think?

My philosophy: it's backwards to look down on those who don't report vulnerabilities; it's better to be pleasantly surprised when someone does.

But he's certainly not "hurting" anyone at all. He didn't disclose any details of the attacks.


I guess I'm too nice myself. It'd be nice if we all did that extra 10% to make the world better.

Normally these things are incredibly easy to report—sending a quick summary of the problem to a specific email address is all it takes.

(Facebook has a web form for it[1].)

[1] http://www.facebook.com/whitehat/report/


He didn't put the bugs there, he only discovered information that already existed. He can't be blamed for hurting anyone.

It's easier to work for free like this if it is an open source group or a non-profit. It's a bit harder when it's a $100 billion company. If they don't compensate security researchers, let them find their own bugs.


Applications are open for YC Winter 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact