Hacker News new | ask | show | jobs
by krageon 2115 days ago
> You would sell something like this, so someone can be spied upon or maybe literally chopped to pieces? Jesus, not everything is about money

If you haven't had food for a few days everything is indeed about money. Either you reward someone properly for the work that they can do or they'll find someone else who does. I doubt most people get fuzzy warm feelings helping a big US corporation that's too greedy to actually pay independent researchers properly.

Edit: That's not to say your work wasn't cool btw. It's very admirable for you to view it the way you do.
4 comments
ufmace 2115 days ago
Technically true, but kind of ridiculous. How many people can't get food, but have a computer, electricity, internet connection, a reasonably quiet place to work, deep knowledge of web technology, and enough free time and mental energy to try to build exploits of computer software against an uncertain and distant bug bounty payout? If you're really desperate for food, you should be looking for a salaried position or something more immediate and certain.

More importantly, human history shows that ethics really are important. If you ignore ethics in the name of people starving, you build a society where even more people suffer and starve. If you want to build a society where everybody is safe and healthy, you need to pay attention to ethics now, not "someday".

link
sillysaurusx 2115 days ago
Lots. Many more than you’d expect. To believe otherwise is privilege.

It took many years to understand this.

link
ufmace 2114 days ago
Dude, if somebody out there somewhere is seriously doing that, they really need some education in effective careers to pursue. That's a lot more likely to improve their lives than complaints about the social effects of the size of bug bounty payouts.

Speaking of privilege, how much privilege is there in believing that ethics aren't important, because you don't know what it's like to live in a place that never even pretended to care about it, and get robbed on a routine basis, because a bunch of other people around you don't care about ethics either, and would rather form a gang and smash anybody who has something they want than work to build a marketable skill?

That is the world you build when you advocate for people not paying attention to the harms of releasing exploits into the wild, because it might pay better than doing the right thing.

link
krageon 2112 days ago
I'm sure you didn't mean to but telling people who are doing the best they can with the tools that they have that they "really need some education" comes across as incredibly condescending. It's been my experience that you will have a hard time convincing other people if you tell them things that way.
link
namdnay 2115 days ago
> If you haven't had food for a few days everything is indeed about money

I doubt anybody capable of finding an exploit like this is in that situation

link
Barrin92 2115 days ago
I've met plenty of self-taught hackers in developing countries who were barely employed due to general economic dysfunction. Spend a month or two in Venezuela and you'll find plenty of qualified folks who have no steady job and are scraping by, how do you think people get into crime to begin with?
link
respondo2134 2115 days ago
>> how do you think people get into crime to begin with?

lack of opportunity, lack of skills and lack of work ethic. As in it's easy to do, no barrier to entry and always availble.

Most crimes don't actually pay very well and have poor return if you've got any sort of marketable skills. Armed robbery of a bank will get you on average $1200 and 15-20 years.

link
namdnay 2114 days ago
I would add poor impulse control
link
Kaze404 2115 days ago
I suggest you try and peek outside your bubble then. Software Engineering isn't free money everywhere.
link
namdnay 2114 days ago
You seem to be arguing against a straw man. Nobody said software engineering is free money, I said that a software engineer with the knowledge, skills and tools necessary to find an exploit like this is definitely not starving. In pretty much every country in the world, someone with those skills will be better off than 90% of the population
link
krageon 2112 days ago
This is simply wrong. The fact that it is impossible for you to believe otherwise should inform you that you do indeed live inside a bubble.
link
JoeCortopassi 2115 days ago
So many comments to this saying it's possible to be broke as a software developer. No one is arguing that. There are tons of people in every career path that don't make much due to a variety of reasons.

But pretending software development isn't a well paying career path, in general, is a statistically incorrect statement

link
krageon 2112 days ago
I'm very capable of finding exploits in what can only be described as terrible living conditions and I've done so while being categorically incapable of finding food anywhere. That's not the environment I live in today (and I'm happy about it), but it really doesn't require a nice warm home with a stable internet connection to find some glaring holes in an application.
link
devwastaken 2115 days ago
Most software is made entirely free with no source of income. The job market for software is terrible, and those people work entirely seperate jobs from it. Many program on a very minimum life expenditure.
link
jariel 2115 days ago
"Most software is made entirely free with no source of income"

No. Most software that is actually used, is not made 'for free'.

link
todd3834 2115 days ago
https://levels.fyi disagrees. I can confirm the offers on there are real
link
trisiak 2115 days ago
That's very simplistic. Not everybody wants to work for US corporations or live in the US.
link
todd3834 2115 days ago
Does that mean they automatically work for almost nothing? This is so different from what I’ve observed. I would love to see where people are getting this opinion from.
link
vermilingua 2115 days ago
You replied to a claim about “most software” with a site that compares big tech companies, and only their US offices. The world is much bigger than your bubble.
link
dang 2113 days ago
Please omit swipes like "your bubble" from HN comments. They're against the site guidelines because they degrade the container.

https://news.ycombinator.com/newsguidelines.html

link
vermilingua 2112 days ago
Fair, but what do you mean by “degrade the container”?
link
todd3834 2115 days ago
Do you have any data the counters what I’m saying? I know people in other countries don’t make the same salaries but they are “mostly” doing pretty well for their region
link
jcelerier 2115 days ago
> I know people in other countries don’t make the same salaries but they are “mostly” doing pretty well for their region

here's some job postings for software engineer in Bordeaux, France: https://www.indeed.fr/Bordeaux-(33)-Emplois-Ingenieur-Inform...

It's around three times less.

link
ShawnCleverdon 2115 days ago
>Do you have any data the counters what I’m saying?

Prove me wrong is bad argumentation.

>I know people in other countries don’t make the same salaries but they are “mostly” doing pretty well for their region.

The burden of proof is on the person making the claim. Do you have any data to backup your claim?

link
joering2 2115 days ago
> I doubt anybody capable of finding an exploit like this is in that situation

Yet the vast amount of hacks or attempts typically originate from China or North Korea...

link
namdnay 2114 days ago
And? If they’re hacking for the DPRK they’re probably in the 1% most privileged of the country, they’re definitely not going to be the ones starving.
link
jcims 2115 days ago
They can be when they try to live off of bug bounties alone.

There are a lot of young folks that try to make this their full time job after some success, then get into a dry spell. The panic robs them of the lateral thinking that brought them to the dance to begin with, and they get into spirals of ravenously hunting simple bugs that end up as dupes and out of scope.

link
panpanna 2115 days ago
> They can be when they try to live off of bug bounties alone.

I think that's the problem. You shouldn't be entirely dependent on bounty money, because sooner or later you will find a bug that is worth 10x or 1000x on the black market.

I have seen white hat bounty hunters go rouge in such situations and entirely blame it on the cheap ass companies that won't offer the "right" amount.

Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.

link
albntomat0 2115 days ago
> Nobody owns you anything, you are doing this mostly for fun. The bounty is just a bonus.

That's missing a key point of the bounty system. Slack and its users are better off that this bug was 1: discovered and 2: responsibly reported. The bounty increases the number of eyes looking, but also incentivizes folks to look into weird crashes or fight through the drudgery of triaging odd behavior.

The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.

link
jcims 2115 days ago
> The bug value also shows how much Slack here values their security, and makes me wary of them if I was in the place to be a customer of theirs.

Most directly it shows how they value a bug bounty program. There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.

You can extrapolate that to how they value security but that’s not necessarily directly correlated.

link
albntomat0 2115 days ago
>There are companies that spend hundreds of millions of dollars per year and have thousands of people in their infosec program that don’t have bug bounty programs.

Such as?

link
jcims 2115 days ago
Totally agree with you. I’m waiting for this to start going the way of Uber.
link
geofft 2115 days ago
If you haven't had food in a few days, there are many better ways to get food on the table than trying to find exploitable vulnerabilities and sell them for tens of thousands of dollars, including

- Work on a bounty program that rewards mitigations instead of exploits (e.g., https://www.google.com/about/appsecurity/patch-rewards/). Those are much more deterministic. (But there's no black market for them.)

- Get a conventional job (possibly in software, possibly not), which pays you on a schedule.

I get the argument you're making about money, but I'm having trouble believing that going after bug bounties ever makes sense to someone in that situation, given how non-deterministic it is to find a bug.

Also (as this bug shows), it typically takes a long time between reporting a bug and having the responding team decide that it merits a bounty. In this case it took a month. (And then there's logistics about actually getting you the money at that point.) Are people who haven't eaten for a few days really going to be happy not eating for another month, even if they get a hundred thousand dollars then?

link
krageon 2112 days ago
Are you seriously telling people who are starving to "get a [conventional or not] job"? I'm struggling to understand your point of view, this is almost a caricature.
link
jcims 2115 days ago
I'm fairly certain that everyone in the vicinity of a bug bounty program is aware that interest in a program can be dialed up by simply adjusting award amounts. If you look here, Slack just recently increased theirs:

https://hackerone.com/slack/bounty_table_versions?type=team&...

link