Hacker News new | past | comments | ask | show | jobs | submit login

In large production environments it's almost impossible to avoid bugs - and some of them are going to be nasty. What sets great and security conscious companies apart from the rest is how they deal with them.

This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.

Well done google.

Indeed, it's funny that I'm reading about a vulnerability they had and it's actually making me feel more safe about using their products.

I am really glad about how they responded. Whenever Tinfoil has found vulnerabilities in companies like United Airlines[0], for example, those companies mostly respond with anger rather than graciousness.

[0] https://www.tinfoilsecurity.com/blog/132969897

Exactly. I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug. But you know what? I don't want to go down there and talk to them because I'm quite certain they'll call the police because I "hacked into their systems".

There should be a security equivalent to hiring a lawyer to write strongly-worded letters for you.

Maybe someone could set up a firm where individuals could hand them a vuln report, and then the firm would contact the vulnerable company on the individual's behalf. The firm would do the long, boring dance of "we suspect you're vulnerable to X, though we haven't tested it, but we'd like to do a free vulnerability test on you, so please sign this liability waiver", both protecting the individual from liability, and taking time the individual doesn't have. In return, if the company gives rewards, the firm could take a percentage.

So you pay money to hire somebody to send a company a letter informing the company of the companies problem in hopes that maybe, just maybe, the company will reward the the firm a small sum of money and you will get a small amount back.

I think you have a winner on your hands.

I might be living in a country with very few banks (3). I may benefit from letting them know about a security issue, especially if because of that issue I could potentially go to jail

I may not have the option of changing bank because the others are even worse.

however I don't know how much I would pay for that. Probably some kind of class action would work.

They wouldn't be doing it for the money. The EFF would be a good example of a firm that could take this practice up.

That's besides the point. It still costs money, and the company that's vulnerable is not the one paying it. A service like this would be time consuming (bogus reports, etc), and the EFF would still have to use money from donations to finance this.

The only thing I can think about is some security firm doing this, using the exposure as a marketing tool and establish them as an authority on the subject.

> I just saw that the local bank my parents use is still vulnerable to the Heartbleed Bug.

Just remember, many sites use the old certificate expiration even though they generated new certificates which shows up as a false positive on the checking tools.

One idea: Call your local newspaper with an anonymous tip?

To be fair, there are some that respond more graciously than others, but it's entirely unclear.

If you are a bank, and you haven't fix one of the worst and widest reaching security holes in years by now.. well. Criminal negligence would be an appropriate description.

That's what pastebin is for.

While I know plenty of companies do not respond how I feel they should to vulnerabilities, reading that story I don't see any cited anger from United Airlines.

Am I missing part of the story?

You're right; the anger was mostly behind the scenes. It turns out it's also /incredibly/ hard to disclose a vulnerability to most companies. Companies like Google or that have bug bounty / disclosure programs are to be lauded. :)

Call me an idealist, but I think 10,000 could be low.

Where _is_ Google's response?

if you read the article, it summarizes it.

Oh -- that video was part of Googles response? I thought it was part some meme to describe Googles response.

That's how I read it, yes.

Meme is a common way of communication in Google, even formally.

Thats fascinating, do you happen to remember the reference?

Hmm a pretty cheap road trip for just ten dollars, and I'm also not sure why they thought it necessary to include an extra significant figure for cents.

Some countries reverse the role of period and comma in numbers. The author meant ten thousand.

I'll admit, it threw me off at first too.

Comma is actually used for decimal separator in more of the world than the period: http://en.wikipedia.org/wiki/File:DecimalSeparator.svg

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact