|
|
|
|
|
|
by daraosn
3626 days ago
|
|
|
I posted below (and got hardly and irrationally downvoted) that $5,000 is a joke. And your comment and others don't change my mind. A CSRF vulnerability, looking forward to reading a post on a SQL Injection next time.. I worked doing bots on my school days when I was a kid, and I saw the gray/black market can be unfortunately extremely profitable. $5,000 is nothing, we're not talking about a little startup here, it's Facebook, and they do have resources. Have you ever seen nasty content on Facebook on your wall, been spammed or even hacked? It's because of these kind of vulnerabilities get breached. Of course they can happen, but $5,000 is nothing considering the economic impact that can have if someone exploits it badly. A PR campaign to fix a mess wouldn't cost a few thousands, rather a few millions. Again: kudos to the OP for posting this and doing things the right way (reporting to facebook), but again, sadly good developers are getting underpriced... PS: and by the way, I'm in no way circle jerking, this is not reddit, I'm here for a serious discussion on the topic. |
|
|
There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives.
A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself.