Hacker News new | ask | show | jobs
by throwaway28474 3867 days ago
Does the company not have any legal recourse against people going public (or threatening to go public) with a bug like this before it's fixed? If not, how is it that United can just mark unfixed bugs "as duplicates" and refuse to pay out for them? Shouldn't all those devs immediately go public with them?
3 comments
hellbanner 3867 days ago
Is there a kind of "union" for bug finders, some corporate shell anonymous hackers can hide behind to avoid legal crushes?
link
lostlogin 3866 days ago
Anonymous hackers just use a mask. Sorry, I couldn't resist.
link
Buge 3867 days ago
It sounds like they are disqualified from receiving any rewards any time in the future.

But other than that, there is nothing preventing you from revealing the vulnerability, or worse, selling it on the grey market. The US government is a heavy buyer of vulnerabilities (although usually in applications, not in airline websites).

link
rodgerd 3867 days ago
There can be a fine line between full disclosure and blackmail. I would be concerned "give me airpoints or else" would go over it.
link
jacquesm 3867 days ago
That's a good point. If you get something out of it then it's not exactly as if you only have the public interest at heart. Which makes me wonder what would be the way to act if you found a major vulnerability in some vendors product and they point blank refuse to fix it even given plenty of time. The public good would (could?) clearly outweigh the company's interest if the hole is bad enough but it could get extremely expensive if you went public with the flaw against their wishes (assuming they know who you are and you're in a location where they can make your life hard).

This is probably very different from jurisdiction to jurisdiction, here in NL we have a government watchdog for such cases which starting 1/1/2016 will have a lot more teeth but in other countries the situation will surely be very different.

Anonymity would seem to be an asset in such cases.

link
thaumasiotes 3866 days ago
There's never really a line between blackmail and anything, only Cantor dust. :/

Blackmail is one of those rare crimes that consist entirely of legal conduct.

link