Hacker News new | ask | show | jobs
by estefan 3618 days ago
No, you pay people to bother looking in the first place.

Criminals will always be looking, but the odds of finding vulns against a company that pays decent bounties should be far lower than against one paying a pittance, since more people should be looking due to the greater potential reward.

Also, in this case, I think that the amount of damage the company has avoided due to the vuln leaking through non-responsible disclosure is far more than $1000. Deleting photos on FB is nowhere near the same class of seriousness.

The company STORES PASSWORDS. Leaking them is serious.
1 comments
tedunangst 3618 days ago
And somebody looked, so clearly the bounty worked! But the cost to find a bug has practically nothing to do with the impact of the bug. The incentive is to find bugs, not a particular world ending bug.
link
estefan 3618 days ago
How do you know it hasn't already been found and actively exploited?

Regardless, if a company isn't willing to demonstrate they value security to my satisfaction I won't be a customer.

link
tptacek 3618 days ago
I am absolutely OK with the idea that you'd stop using LastPass because they have a bug this dumb. I'm even OK with you believing that LastPass should pay more than other companies because they are so clearly reliant on external researchers to work on spec to find the simplest possible flaws in their code.

The only problem I have is with the virulently bogus meme that companies should pay more for vulnerabilities because otherwise the "black market" will outbid them. No:

* The "black market" does not in fact want these vulnerabilities.

* Finding a vulnerability and then not using it to to enter into a criminal conspiracy simply isn't praiseworthy, and reasonable people don't have to paid not to do that. It's hard enough to do this kind of work in a society that believes there's something sketchy about finding vulnerabilities at all, without the constant chatter about how maybe they could just make a living by enabling crime.

* The argument doesn't even make logical sense. If the vulnerability is easy to find and exploit (as this one was), then no matter how severe it is, it doesn't command a high price because you could spend less money to independently rediscover it. Moreover, there are surely many other vulnerabilities to be found in the same target. The economics of the argument are all wrong.

link
estefan 3618 days ago
> I am absolutely OK with...

That's a weight off...

I have no idea who you think you're replying to, but they're not my points dude...

link