[armabiz]

Dear %username%, thanks for reporting this critical security vulnerability, affecting our multi-million business.

Do you want a T-shirt?

[introvertmac]

Haha, for what ?

[introvertmac]

yes, that's the issue. They think their T-shirts worth the time and efforts we spend in finding the bugs

[andreyf]

Well, they also put your name on their "thank you" page and sent you a nice email! What else could you possibly want?

It might be a multi-million dollar business, but it's not like these hacks can actually cost them millions of dollars. Verizon has had employees giving out personal details to people on the phone for years, and they're still happy to do it even for the director of the CIA: https://www.schneier.com/blog/archives/2015/10/the_doxing_tr...

[introvertmac]

True, but people do have bills to pay. So this can't be a full time thing.

[andreyf]

I think Schneier is arguing that if companies were liable for their disregard of even minimal security standards, they might pay you more to help finding vulnerabilities.

[hk__2]

The thing is that they never asked you to spend time finding the bugs; they’re not obligated to give you something.

[introvertmac]

agreed, but "people don't know what they want, until you show it to them"- Steve Jobs