[tptacek]

How does paying extra money address the underlying concern that LastPass has absolutely trivial regex bugs that entirely defeat the security of the product? I agree that the bug is terrible, but the bounty and the impact of the bug to the company are largely orthogonal, unless the bounty includes a confidentiality term.

[embik]

I guess the point people (including me) are making is that it should pay off to do the right thing and report a bug that is capable of killing your (core) business. While OP obviously is a honourable person, others might not be and are more interested in getting money than doing the right thing.

Of course it's illegal/wrong to sell an exploit to third parties, but that doesn't stop people from doing illegal things as long as they get money for it. You just don't know about the issues that are sold because that's obviously not going public.

[tptacek]

This doesn't make any sense logically. We don't need to pay people to prevent them from committing felonies. The suggestion that we do is actually pretty offensive to people who find vulnerabilities. Most of us --- in fact, the overwhelming majority of us --- are not torn at all about whether we should sell flaws to the black market.

(This is of course orthogonal to the fact that the black market does not want these vulnerabilities.)

[estefan]

No, you pay people to bother looking in the first place.

Criminals will always be looking, but the odds of finding vulns against a company that pays decent bounties should be far lower than against one paying a pittance, since more people should be looking due to the greater potential reward.

Also, in this case, I think that the amount of damage the company has avoided due to the vuln leaking through non-responsible disclosure is far more than $1000. Deleting photos on FB is nowhere near the same class of seriousness.

The company STORES PASSWORDS. Leaking them is serious.

[tedunangst]

And somebody looked, so clearly the bounty worked! But the cost to find a bug has practically nothing to do with the impact of the bug. The incentive is to find bugs, not a particular world ending bug.

[estefan]

How do you know it hasn't already been found and actively exploited?

Regardless, if a company isn't willing to demonstrate they value security to my satisfaction I won't be a customer.

[tptacek]

I am absolutely OK with the idea that you'd stop using LastPass because they have a bug this dumb. I'm even OK with you believing that LastPass should pay more than other companies because they are so clearly reliant on external researchers to work on spec to find the simplest possible flaws in their code.

The only problem I have is with the virulently bogus meme that companies should pay more for vulnerabilities because otherwise the "black market" will outbid them. No:

* The "black market" does not in fact want these vulnerabilities.

* Finding a vulnerability and then not using it to to enter into a criminal conspiracy simply isn't praiseworthy, and reasonable people don't have to paid not to do that. It's hard enough to do this kind of work in a society that believes there's something sketchy about finding vulnerabilities at all, without the constant chatter about how maybe they could just make a living by enabling crime.

* The argument doesn't even make logical sense. If the vulnerability is easy to find and exploit (as this one was), then no matter how severe it is, it doesn't command a high price because you could spend less money to independently rediscover it. Moreover, there are surely many other vulnerabilities to be found in the same target. The economics of the argument are all wrong.

[embik]

So you don't believe there are blackhats out there? Because somebody has to be breaching online services and it's rather unlikely it's a godly entity doing that.

Felonies exist and people still commit them. Should they? God no. But people with a lower moral code exist and they can be flipped to do "good work" if there's enough money for them (and I think you should get more money in general for your important work anyway). I find the notion of your profession only consisting of good people highly offending to the rest of the world.

[tedunangst]

The people who are not the majority of researchers would be... Wait for it... A minority of researchers.

[estefan]

So... a minority of people aren't capable of causing trouble? I don't see your point.

[tptacek]

This is a crazy argument. HN is a community populated in large part by software developers, most of whom will at many different times in their careers ship vulnerable code they wrote. You're saying that if you start a new company, you should either (a) get your code absolutely perfect, which nobody ever manages to do, including people who go to great expense to try, or (b) be held hostage by extortion schemes to pay greater sums for vulnerabilities lest the discoverers exploit them to cause the most possible damage to your company.

You know who does fine in a world where that's the norm? Facebook. No matter where vulnerabilities get valued at, they will be a rounding error expense to Facebook.

You know who does not do fine in that world? Anyone smaller than Facebook.

Thankfully, that's not the norm in the real world. Unfortunately, the real norm is: if you pay a bounty at all, random people on Twitter and message boards will claim you're being negligent by not paying more for them. The lesson then is: don't offer a bug bounty. All you're doing is attracting negative attention.

You know who does fine in the real world where that's the norm? Apple and Cisco. Really, so does Facebook, despite the bullshit flak they take for their bounties.

You know who does not do fine in the real world? End-users.

[tedunangst]

Nothing in tptacek's comment implied that blackhats don't exist.