[estefan]

I think paying only $1000 for a potentially company-imploding bug like that is incredibly short sighted.

It's far too low to motivate a lot of people to look for bugs, and to me suggests they're not serious about protecting their reputation if someone does find such a company-destroying bug.

[tptacek]

HN has weird beliefs about the company-imploding properties of all sorts of bugs, from this to CSRFs that let you delete photos from Facebook. After all, a competitor could use it to erase all the photos on Facebook and then take over the market!

That was an actual argument on a thread about Facebook underpaying bounties.

[embik]

To be fair, this bug is pretty nasty because it allows anyone to get all your stored passwords. That's like the core business of LastPass. LastPass leaking your login credentials for e.g. online banking is really not comparable to deleting Facebook photos.

[tptacek]

How does paying extra money address the underlying concern that LastPass has absolutely trivial regex bugs that entirely defeat the security of the product? I agree that the bug is terrible, but the bounty and the impact of the bug to the company are largely orthogonal, unless the bounty includes a confidentiality term.

[embik]

I guess the point people (including me) are making is that it should pay off to do the right thing and report a bug that is capable of killing your (core) business. While OP obviously is a honourable person, others might not be and are more interested in getting money than doing the right thing.

Of course it's illegal/wrong to sell an exploit to third parties, but that doesn't stop people from doing illegal things as long as they get money for it. You just don't know about the issues that are sold because that's obviously not going public.

[tptacek]

This doesn't make any sense logically. We don't need to pay people to prevent them from committing felonies. The suggestion that we do is actually pretty offensive to people who find vulnerabilities. Most of us --- in fact, the overwhelming majority of us --- are not torn at all about whether we should sell flaws to the black market.

(This is of course orthogonal to the fact that the black market does not want these vulnerabilities.)

[estefan]

No, you pay people to bother looking in the first place.

Criminals will always be looking, but the odds of finding vulns against a company that pays decent bounties should be far lower than against one paying a pittance, since more people should be looking due to the greater potential reward.

Also, in this case, I think that the amount of damage the company has avoided due to the vuln leaking through non-responsible disclosure is far more than $1000. Deleting photos on FB is nowhere near the same class of seriousness.

The company STORES PASSWORDS. Leaking them is serious.

[embik]

So you don't believe there are blackhats out there? Because somebody has to be breaching online services and it's rather unlikely it's a godly entity doing that.

Felonies exist and people still commit them. Should they? God no. But people with a lower moral code exist and they can be flipped to do "good work" if there's enough money for them (and I think you should get more money in general for your important work anyway). I find the notion of your profession only consisting of good people highly offending to the rest of the world.