Hacker News new | ask | show | jobs
by pydry 2112 days ago
>Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

Yeah, they do. It's a self declared measure of how seriously they take their security. They valued avoiding the takeover of their fleet at 0.0000125% of their market cap.

The reason I left lastpass was because the bug bounty for a bug that could expose all of everybody's passwords just by visiting a website was, like, about $1k. The company became dead to me in a split second and I wanted out immediately.

....and it's not doing too well these days, from what I can tell.
2 comments
tptacek 2112 days ago
What was the half-life on that vulnerability? From the moment Lastpass wrote whatever the fix was to the point at which attackers can no longer exploit it afresh, how much time elapses? If it's a serverside fix, so that the number is something like "a day or so while it's deployed", that's your answer about why nobody is outbidding Lastpass for this bug.
link
pydry 2112 days ago
I rather thought it was honesty that kept it from being bid on by bad guys. Even if they wouldn't bid more it's a big risk to pay so low.

It's kind of a treasure trove to be able to read all passwords from a user of lastpass simply by showing them a website.

It made me think that the next zero day on lastpass would probably be sold to someone else.

link
tptacek 2112 days ago
Who would buy it? That's the question I'm asking.
link
pydry 2111 days ago
Scammers, fraudsters, governments
link
tptacek 2110 days ago
Tell a story about the "scammer" or "fraudster" that buys this. What do they do with it? What do they win, how many times do they win it, and with what likelihood of success? How much work goes into realizing value from the vulnerability before they get their first dollar, or whatever it is they're getting? Is that work already done, or do they have to do it speculatively on this one vulnerability?

Reason your way through it all the way, and you'll see why real vulnerabilities sold on darker markets are paid in tranches, and why nobody pays real money for one-off serversides.

link
spicybright 2112 days ago
Props to you for realizing that. That's a good move you took, I feel not many would do the same, sadly.
link