Hacker News new | ask | show | jobs
by shepardrtc 3627 days ago
I think $5,000 is a lot of money. I'd be pretty happy if they sent that to me. In years past, companies would just give you a nice pat on the back.
2 comments
stephengillie 3627 days ago
What if someone else was offering $10,000 for Facebook bugs, so they could exploit them? This bug could probably result in more than $5,000 in damages to the Facebook brand.
link
argonaut 3627 days ago
But someone isn't. That's the point. These bugs don't go for $10k on the black market.
link
peeters 3627 days ago
Never mind the fact that it does matter to a lot of people whether they are committing a crime. Not everyone is a capitalist sociopath.

If someone without a conscience wanted to maximize their profit, they'd probably just sell to both sides.

link
rl3 3627 days ago
That's odd considering the potential monetary damage of such bugs can far exceed $10k.
link
XMPPwocky 3627 days ago
One can smash a car up with a sledgehammer. Is the value of a sledgehammer equal to the value of a car?
link
rl3 3627 days ago
>Is the value of a sledgehammer equal to the value of a car?

My previous post was poorly worded; I didn't mean to imply equality.

To use your analogy, valuing a serious vulnerability on a platform that has 1.65B users in the $5-10k range is tantamount to selling a 30lb sledge hammer for a dollar.

link
ponyfleisch 3627 days ago
But what if producing a sledgehammer only cost 50 cents? Then people would sell sledgehammers for a dollar or less.
link
tptacek 3626 days ago
Stealing this.
link
dopamean 3626 days ago
Me too. It really gets straight to the point.
link
colanderman 3627 days ago
The problem with valuing bugs at their damage potential is that the total damage potential of all bugs in any given product is almost certainly magnitudes greater than the total value of the product itself.
link
sushid 3627 days ago
People always say this but where would you go to find such a buyer? If you could find someone who would purchase it from you, would you process to then sell it to them?

If you can't find a buyer and/or would most likely be unwilling to commit a crime, it's a moot point.

link
andkenneth 3627 days ago
Right, but this is facebook, and it's breaking auth. This is the company that said that if there's a million dollar bug, they will pay out for it. I'm not saying this is a million dollar bug, but breaking auth is up there on things that are bad and is probably worth a bit more than 5k.
link