Hacker News new | ask | show | jobs
by KajMagnus 2125 days ago
Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead
1 comments
tptacek 2125 days ago
XSS? Outside of a social network, where it can propagate itself? For a non-FAANG-scale company? Probably between $250 and $500, if it's a clean and effective XSS. Less if you have to interact with an obscure feature of the application.
link
KajMagnus 2116 days ago
Thanks for the reply, I would have guessed maybe 10 x more.

Interesting to hear,

Makes me think that there is not any big marked for exploits targeting smaller companies. Maybe such exploits (for smaller products) would be useful primarily for spear phishing? and not bring in so much money if sold, & hard to find a buyer?

Still, if the note taking app was sth well known like Ev*rnote, I wish they'd pay more. (No idea if it was.)

link