Hacker News new | comments | show | ask | jobs | submit login

> You're either a black/grey hat or a white hat. Either you're a white hat and believe selling to malicious hackers is fundamentally wrong and you wouldn't do it at any price, or you're a black hat waiting for the right price.

> The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.

How many other industries are there where individuals with valuable skills routinely volunteer to help multi-billion dollar corporations despite no guarantee of reward?

These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour, and they're doing it almost entirely because it's the right thing to do. And Facebook should reward them well enough that they'll continue doing it, not only because it's good for the security of Facebook and its users but because it's the right thing to do.

I don't know how much Facebook has given to the other 65 people who disclosed exploits this year, but it will be innocent users who suffer most if they all share Yvo's sentiment.




These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour

He spent a day finding the exploit, and got $4500. That scales quite well if he can keep it up.

At the point the exploits are harder to find, Facebook can make a decision as to whether it's important to keep searching as hard, and raise or lower the price as they see fit. This is the market in action.

He might have made more on the black market, but why it would be worth more is important. On the black market, the transaction comes with legal risk. Risk increases payout (by reducing supply).


There would be very little legal risk associated with selling this on the black market. The problem would be finding the buyer. The prosecution would have to prove that the seller knew for a fact that he was selling the vulnerability to a known criminal.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: