|
|
|
|
|
|
by tptacek
3626 days ago
|
|
|
As I said downthread, Facebook was the highest bidder for this interaction-required CSRF bug; the next-highest bidder would probably be $50. There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives. A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself. |
|
|