[jrockway]

Let's do a little calculation to see if the payout is worthwhile.

Using something illegally means you run the risk of going to prison. Let's say there's a 1% chance you get caught, the prison sentence is 10 years, and the evil hackers will pay you $20,000 for your bug. Let's also say that you're a mid-career software engineer in the US, and over the next 10 years you expect to make $2M (after taxes).

This means your expected outcome over 10 years is $20,000 + (0.99 * $2M) = $1.98M. With Lastpass's bounty you end up with $2.001M.

With these assumptions, you should be paying Lastpass to find bugs in their software! Of course, if you're not in the US, you probably make a more reasonable salary (read: less), taxes are higher, and the risk of getting caught is lower.

[virtualwhys]

> over the next 10 years you expect to make $2M (after taxes)

That would be $300K per year pre-tax (assuming current 2016 tax rate of 33% for the 200-400K bracket). Is that really a normal mid-career salary?

I need to change jobs if that's the case...

[superuser2]

At elite big-name tech companies in the Bay Area, if you're selling your stock as it vests, that might be a little high but in the ballpark.

[overcast]

Now let's bring that salary estimate back down from outer space. $200,000 per year TAKE HOME, is not realistic, except for the very top percent of developers. And I'm talking the very top.

[Donzo]

There is also the reputation boost that the researcher receives for discovering this exploit and disclosing it in a responsible manner. The value of that is incalculable.

[fulafel]

In most places doing gray/black-hat things rarely results in going to prison, especially for someone who hasn't been convicted before.

https://en.wikipedia.org/wiki/List_of_computer_criminals paints a picture that prison time is mostly a US-only thing.

[00098345]

You are approaching from the wrong angle. How much was the exploit "worth" to the company?

Some people want to watch the burn. An attacker could make it known anonymously and LastPass will never recover from that onslaught.

[teekert]

Is it still illegal when Lastpass actually stimulates you financially to pry into their systems?

[vertex-four]

They authorize you to pry into their systems if, and only if, you report security bugs back to them. If you don't, they don't authorize you to pry into their systems, and it's illegal.