[scarlac]

> I'd demand Facebook pay out $75,000 minimum

Wouldn't demanding money be blackmailing?

A story from one of my startups: A student reached out to us regarding a security vulnerability on the website, demanding money for it. He refused to say what it was or provide evidence at first, so we couldn't assess it. He said he'd disclose it to others if we didn't.

I definitely felt blackmailed. I am not a lawyer but it felt illegal. Maybe someone can chime in to say if it is?

[ericjang]

Rather than the exploiter setting an arbitrary price (which would be closer to blackmail), I think parent comment was saying that the fair market value of disclosing such a bug was worth closer to $75k given the unique skill set required.

Skilled engineers turn to cybercrime when white-hat bounties are insufficiently rewarding, so it is in everyone's interest to pay competitive rates for finding security vulnerabilities.

[tptacek]

The fair market price of an entire app pentest of that legal dashboard application, one which would almost certainly find that bug† if run by a competent, reputable firm, along with many other bugs, run by consultants with bios and concluded with a deliverable that Facebook can file away, is probably somewhere between $20,000 and $35,000, so the idea that the fair market value of a single finding of that engagement is $75,000 is pretty hard to take seriously.

From my perspective, people weird ideas (in both directions!) about how much this stuff costs.

† It's a little tricky to say because the blog post is cagey about what the vulnerability actually is, but I'm thinking about all of the password-reset-flow bugs I've ever seen that fit the rest of the pattern of the post and I'm pretty sure this is low-hanging fruit for a serious app pentest.

[fancythat]

One point of you to consider though, I guess FB runs pentests all the time, either internally or externally by appointing some other company to do it.

That being said, if they pay that company 35k, for example, and they haven't found this, wouldn't that fact make this discovery worth more than 35k?

[lazyasciiart]

Maybe they found other bugs that were worse, or of the same value, and you should have just given them another day.

[ericjang]

Fair enough. I could imagine that if the work were billed by the hour or said research firm hired multiple people it would be easy for costs of the work to run up to $75k - it's within O(20k). I'm not qualified to price these though - I certainly would abhor having to pay that cost if I were a small company.

[tptacek]

20-35k assuming a sort of baseline project being 2 people, 2 weeks.

[singingfish]

Which is essentially market driven blackmail as far as I can see. Once I meet my new neighbours (one of whom is a moral philosopher by trade) I might ask about how to assess if that's ok. Personally it feels somewhat ok to me, speaking as someone who's built industrial espionage for money.

[phkahler]

>> Which is essentially market driven blackmail as far as I can see.

Modern medicine can also be like blackmail. Nobody has to actually threaten you, but nature will kill you unless you pay whatever the price of treatment. That's why we need competition, and why pharma companies like monopolies.

[simias]

That's the most American comment I've read all day, and that's saying something!

[unishark]

It differs from blackmail because you the sick person are the one requiring others to perform a service for your benefit. With blackmail (and generally extortion) you are threatening to take an action unless someone pays you not to.

[phkahler]

Oh I completely agree, that's why I said "can also be like blackmail". Key word "like" because it does differ in the exact way you describe.

So in this threads context, "hey I found a vulnerability in your infrastructure, you could pay me for it" does not actually constitute blackmail unless they actually follow it with "I'm selling to the highest bidder which may not be you".

[singingfish]

Here in Australia the state funds most medical care. In this case the blackmail vector, if we use that interpretation is the taxation system.

[sjwright]

And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.

https://en.m.wikipedia.org/wiki/Pharmaceutical_Benefits_Sche...

[webmaven]

> And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.

The blackmail version is actually "Refuse, and we'll produce a generic version locally and perhaps even export it to any country that wants it."

https://www.wired.com/2006/12/indiadrug/

[karaterobot]

Blackmail with a bit of overhead tossed in then. At least most hackers keep the costs down and pass the savings on to you!

[singingfish]

I don't think state funded healthcare works the way you think it does. The american system is the most economically inefficient system out there, to the extent that people without experience of other systems likely end up with highly distorted perception.

Note that a mixed economy (combined public/private funding, like the french and australian systems) are probably for the most part the most economically efficient. A big problem in australia is over-provision of services, especially ending up getting more pathology tests than strictly necessary.

[comprev]

That statement is so true it's terrifying.

[phkahler]

The thing to remember is that the universe does not care, and nobody owes us anything. That's what's really terrifying until you come to terms with it.

[LockAndLol]

So, what is your proposed solution for people who find security vulnerabilities in systems? Keep in mind these vulns are worth money in the black market.

[chii]

If the gov't stops prosecuting the security experts for selling the vulnerability on the black market (but instead, only prosecute those who use it for illegal purposes), then the security expert can find out the true value of a vulnerability.

This makes the company with said vulnerability pay the true price for it - may be even just purchase it on the black market and outbid the "bad guys". Or pay someone to fix it asap before it's sold.

[singingfish]

I suspect that decent bug bounties, and therefore engendering more competition between white hat and black hat activities is probably the best way to go.

[ajkjk]

What does it mean to be a moral philosopher 'by trade'?

[singingfish]

employed (by a university) as a moral philosopher. Interestingly the institute they work for is ethically dubuous (because of how it's funded, not the teaching content)

[outoftheabyss]

Unemployed

[ineedasername]

It's a rather small field, but IIRC, I had a philosophy professor in college whose specialty was the Ethics, and he had a sideline consulting with hospitals as a medical ethicist. He was also brilliant-- In the course I took with him we covered scientific ethics, one of the more memorable of my academic experiences.

[foldr]

Presumably that they're an academic moral philosopher.

[HomeDeLaPot]

I suppose the illegal part would be the student threatening to disclose the vulnerability to others if you didn't pay. That seems like crossing the line into blackmail and being an accomplice of whoever he discloses to. But the student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay. I can see the difficulty though, I guess you'd need to have his identity so you could legally pursue him if there was no vulnerability and he ran away with the money. Or maybe you could write up some sort of contract requiring an in-person demonstration...

[phkahler]

>> student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay.

Which leads to a very interesting situation in negotiating. It's not the first time someone tried to sell information or an idea without getting ripped off. But how can one agree the value of information without knowing it. Is there a standard word or phrase to describe that situation?

[vladTheInhaler]

The thing that is missing here would seem to be a sort of zero-knowledge proof.

[unishark]

perhaps a third party both sides trust is hired to appraise the value

[foepys]

Those things already exist but ultimately bugs and exploits are too niche. A trusted third party cannot rule by themselves but is always required to ask both sides about the bug's impact. Since both sides try to frame it as both high and low impact at the same time, you make both parties unhappy in the most cases and become untrusted.

[flagrant]

Sounds like a standard Catch-22.

[kortilla]

Finder’s fee

[pgayed]

It’s that second part.

“I’m going to do x if you don’t y.”

He’s under no obligation to disclose. But the second part is coercion.

x itself might also constitute a crime.

[Rexxar]

Using an "if" doesn't mean coercion if first action is legitimate

- I'm going to refuse your offer if you don't propose something better.

- I'm going to work on it if you don't want to

- I'm going to eat the cake if don't like it

[ineedasername]

Not quite. Let's say I know you're cheating on your partner: I can tell the partner, and that's legally fine. But if I say "I'm going to tell the partner if you don't pay me $7500" then that is not fine, even though the first action is legitimate. Coercion really is quite a bit about the second part as well.

I'm not sure if this rule would cover all coercion/blackmail, but a rule like the following is probably a good guideline: If the first part negatively impacts the "victim" while the second part positively impacts the other person, it's might be getting close to coercion territory.

Let's take your cake example: The person with the cake isn't really negatively impacted. If they don't like the cake, they aren't materially harmed by someone else eating it. Although even there, context matters: Let's say you're a baker, and you sell cakes, even ones that you don't like yourself (maybe you hate buttercream icing). Taking your cake and eating it when you might otherwise have sold the cake and made money would be a problem.

[pgayed]

?

It is coercion. But not all coercion is criminal.

[jahewson]

There’s no harm in making a demand. It’s adding “or else” that would get you in trouble. In this case that would be extortion.

[throwitaway1235]

I don't think demanding a sum of money for a problem that you personally solved could be considered blackmail. I'm not an attorney though.

[lr4444lr]

IANAL, but it definitely sounds like he's painting a target on himself for civil damages if someone else hacks you by using an exploit he shared.

[kortilla]

Good luck proving that.

[rhexs]

Unless litigating students is something your startup is interested in, I’d recommend ignoring that line of thinking and just hiring a good pen tester for a few months.

[EGreg]

It’s really hard to say what something is worth if you are only allowed to sell it to one buyer. No competition between buyers. The only leverage is releasing the info and screwing a lot of people.

(Also sucks that you can release it anyway. But you do want to source these vulnerabilities from the world at large.)

Yet another reason why open source and collaboration may be better than capitalism and competition. Many hands make light work, with enough eyes all bugs are shallow, and all that.

(To be fair, open source lacks security by obscurity so a project becomes secure after many years and developers join it.)