Churchill: "Madam, would you sleep with me for five million pounds?"
Socialite: "My goodness, Mr. Churchill... Well, I suppose...
we would have to discuss terms, of course... "
Churchill: "Would you sleep with me for five pounds?"
Socialite: "Mr. Churchill, what kind of woman do you
think I am?!"
Churchill: "Madam, we've already established that.
Now we are haggling about the price”
The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.
> The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.
How many other industries are there where individuals with valuable skills routinely volunteer to help multi-billion dollar corporations despite no guarantee of reward?
These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour, and they're doing it almost entirely because it's the right thing to do. And Facebook should reward them well enough that they'll continue doing it, not only because it's good for the security of Facebook and its users but because it's the right thing to do.
I don't know how much Facebook has given to the other 65 people who disclosed exploits this year, but it will be innocent users who suffer most if they all share Yvo's sentiment.
He spent a day finding the exploit, and got $4500. That scales quite well if he can keep it up.
At the point the exploits are harder to find, Facebook can make a decision as to whether it's important to keep searching as hard, and raise or lower the price as they see fit. This is the market in action.
He might have made more on the black market, but why it would be worth more is important. On the black market, the transaction comes with legal risk. Risk increases payout (by reducing supply).
That sentence is such a false dichotomy it's hard for me to take you seriously.
Is it evil to want to feel appreciated for your work? The message facebook is sending is that they honestly don't care if you find huge, potentially costly security holes in their software and go out of your way to let them no.
edit: It seems from reading other comments $4500 is actually quite reasonable. I was basing my comment on the author saying it was a "paltry fee".
You take a huge risk even notifying companies of a security flaw you found, since that usually implies you were doing unauthorized penetration testing and they'd have a case against you under the oh-so-wonderful CFAA. Or they'll just ignore you completely and never patch the flaw.
If they value responsible disclosure, they should pay enough to make it worth the effort. They need not compete with black market prices.
There are more incentives than money. Some people like the thrill, some like the "thanks!" from the person they helped, some just like fucking around with web security.