Hacker News new | comments | show | ask | jobs | submit login

I'm sorry, but this is naive. And your anecdote argues against the point you are making below it. Most people do have a price, even a "good" people. And good people like OP are more likely to stay good when they feel it's appreciated. I think the price FB paid him is almost like a slap in the face, and could have the effect of antagonizing otherwise helpful people.

$4500 for a website auth bypass is not a slap in the face.

Yes, it is. Knowing this exploit was worth many orders of magnitude more to facebook. You can't think of the money as an absolute amount and say, "hey, that sounds pretty good." It has a market value, both to fb and to blackhats, and that market value is far higher than $4500.

Have you sold a lot of vulnerabilities, then? Can I ask if you're speaking from experience here?

One other thing to consider here is that these $4,500 are not packaged with a felony.

Selling vulns/exploits may be distasteful, but it's not illegal.

If you sell an exploit to someone who then uses it for illegal purposes you could be prosecuted for your involvement in that crime.

Only if they can prove that you knew exactly who you were selling to and for what purpose. This is a pretty high standard to meet...

If you say so. I think you're probably wrong about this.

Also, being listed on FB's responsible disclosure page isn't worthless.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact