Hacker News new | comments | show | ask | jobs | submit login

   Churchill: "Madam, would you sleep with me for five million pounds?"
 
   Socialite: "My goodness, Mr. Churchill... Well, I suppose... 
               we would have to discuss terms, of course... "

   Churchill: "Would you sleep with me for five pounds?"

   Socialite: "Mr. Churchill, what kind of woman do you
               think I am?!" 

   Churchill: "Madam, we've already established that. 
               Now we are haggling about the priceā€
You're either a black/grey hat or a white hat. Either you're a white hat and believe selling to malicious hackers is fundamentally wrong and you wouldn't do it at any price, or you're a black hat waiting for the right price.

The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.




> You're either a black/grey hat or a white hat. Either you're a white hat and believe selling to malicious hackers is fundamentally wrong and you wouldn't do it at any price, or you're a black hat waiting for the right price.

> The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.

How many other industries are there where individuals with valuable skills routinely volunteer to help multi-billion dollar corporations despite no guarantee of reward?

These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour, and they're doing it almost entirely because it's the right thing to do. And Facebook should reward them well enough that they'll continue doing it, not only because it's good for the security of Facebook and its users but because it's the right thing to do.

I don't know how much Facebook has given to the other 65 people who disclosed exploits this year, but it will be innocent users who suffer most if they all share Yvo's sentiment.


These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour

He spent a day finding the exploit, and got $4500. That scales quite well if he can keep it up.

At the point the exploits are harder to find, Facebook can make a decision as to whether it's important to keep searching as hard, and raise or lower the price as they see fit. This is the market in action.

He might have made more on the black market, but why it would be worth more is important. On the black market, the transaction comes with legal risk. Risk increases payout (by reducing supply).


There would be very little legal risk associated with selling this on the black market. The problem would be finding the buyer. The prosecution would have to prove that the seller knew for a fact that he was selling the vulnerability to a known criminal.


> Either you're a white hat and believe selling to malicious hackers is fundamentally wrong and you wouldn't do it at any price, or you're a black hat waiting for the right price.

That sentence is such a false dichotomy it's hard for me to take you seriously.

Is it evil to want to feel appreciated for your work? The message facebook is sending is that they honestly don't care if you find huge, potentially costly security holes in their software and go out of your way to let them no.

edit: It seems from reading other comments $4500 is actually quite reasonable. I was basing my comment on the author saying it was a "paltry fee".


Facebook is doing the right thing here. Very few companies have a responsible disclosure policy, much less a reward system.

You take a huge risk even notifying companies of a security flaw you found, since that usually implies you were doing unauthorized penetration testing and they'd have a case against you under the oh-so-wonderful CFAA. Or they'll just ignore you completely and never patch the flaw.


Huh? They cared enough to send him $4500 as a thank-you. Their obligation in this case was zero.


I'm sorry, but this is naive. And your anecdote argues against the point you are making below it. Most people do have a price, even a "good" people. And good people like OP are more likely to stay good when they feel it's appreciated. I think the price FB paid him is almost like a slap in the face, and could have the effect of antagonizing otherwise helpful people.


$4500 for a website auth bypass is not a slap in the face.


Yes, it is. Knowing this exploit was worth many orders of magnitude more to facebook. You can't think of the money as an absolute amount and say, "hey, that sounds pretty good." It has a market value, both to fb and to blackhats, and that market value is far higher than $4500.


Have you sold a lot of vulnerabilities, then? Can I ask if you're speaking from experience here?


One other thing to consider here is that these $4,500 are not packaged with a felony.


Selling vulns/exploits may be distasteful, but it's not illegal.


If you sell an exploit to someone who then uses it for illegal purposes you could be prosecuted for your involvement in that crime.


Only if they can prove that you knew exactly who you were selling to and for what purpose. This is a pretty high standard to meet...


If you say so. I think you're probably wrong about this.


Also, being listed on FB's responsible disclosure page isn't worthless.


The black hats exist either way because there is a lucrative market. If there is no incentive for white hats, they just won't play the game. It's not that they'll "turn into black hats", but the effect for Facebook and their users is pretty much the same: the only people looking for exploits are black hats.

If they value responsible disclosure, they should pay enough to make it worth the effort. They need not compete with black market prices.


> If there is no incentive for white hats, they just won't play the game.

There are more incentives than money. Some people like the thrill, some like the "thanks!" from the person they helped, some just like fucking around with web security.


Of course, your whole philosophy assumes everyone looks at the world in terms of Good Guys and Bad Guys, and has the same idea about who they are that you do.


Rather, his philosophy assumes that if you are a white hat you cannot be concerned about a reward. In reality white hats simply have enough moral compass to not place the exploit into wrong hands, which doesn't mean they don't care about a reward. By this rationale lawyers, for instance, should not be setting a price on their time when they believe defending a particular case will be doing a good Good Deed.


These companies don't have to compete with the bad guys, but smart companies would be competetive with each other for the finite amount of time that hackers have.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: