Hacker News new | comments | show | ask | jobs | submit login

$4500 for a website auth bypass is not a slap in the face.

Yes, it is. Knowing this exploit was worth many orders of magnitude more to facebook. You can't think of the money as an absolute amount and say, "hey, that sounds pretty good." It has a market value, both to fb and to blackhats, and that market value is far higher than $4500.

Have you sold a lot of vulnerabilities, then? Can I ask if you're speaking from experience here?

One other thing to consider here is that these $4,500 are not packaged with a felony.

Selling vulns/exploits may be distasteful, but it's not illegal.

If you sell an exploit to someone who then uses it for illegal purposes you could be prosecuted for your involvement in that crime.

Only if they can prove that you knew exactly who you were selling to and for what purpose. This is a pretty high standard to meet...

If you say so. I think you're probably wrong about this.

Also, being listed on FB's responsible disclosure page isn't worthless.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact