[ericjang]

Rather than the exploiter setting an arbitrary price (which would be closer to blackmail), I think parent comment was saying that the fair market value of disclosing such a bug was worth closer to $75k given the unique skill set required.

Skilled engineers turn to cybercrime when white-hat bounties are insufficiently rewarding, so it is in everyone's interest to pay competitive rates for finding security vulnerabilities.

[tptacek]

The fair market price of an entire app pentest of that legal dashboard application, one which would almost certainly find that bug† if run by a competent, reputable firm, along with many other bugs, run by consultants with bios and concluded with a deliverable that Facebook can file away, is probably somewhere between $20,000 and $35,000, so the idea that the fair market value of a single finding of that engagement is $75,000 is pretty hard to take seriously.

From my perspective, people weird ideas (in both directions!) about how much this stuff costs.

† It's a little tricky to say because the blog post is cagey about what the vulnerability actually is, but I'm thinking about all of the password-reset-flow bugs I've ever seen that fit the rest of the pattern of the post and I'm pretty sure this is low-hanging fruit for a serious app pentest.

[fancythat]

One point of you to consider though, I guess FB runs pentests all the time, either internally or externally by appointing some other company to do it.

That being said, if they pay that company 35k, for example, and they haven't found this, wouldn't that fact make this discovery worth more than 35k?

[lazyasciiart]

Maybe they found other bugs that were worse, or of the same value, and you should have just given them another day.

[ericjang]

Fair enough. I could imagine that if the work were billed by the hour or said research firm hired multiple people it would be easy for costs of the work to run up to $75k - it's within O(20k). I'm not qualified to price these though - I certainly would abhor having to pay that cost if I were a small company.

[tptacek]

20-35k assuming a sort of baseline project being 2 people, 2 weeks.

[singingfish]

Which is essentially market driven blackmail as far as I can see. Once I meet my new neighbours (one of whom is a moral philosopher by trade) I might ask about how to assess if that's ok. Personally it feels somewhat ok to me, speaking as someone who's built industrial espionage for money.

[phkahler]

>> Which is essentially market driven blackmail as far as I can see.

Modern medicine can also be like blackmail. Nobody has to actually threaten you, but nature will kill you unless you pay whatever the price of treatment. That's why we need competition, and why pharma companies like monopolies.

[simias]

That's the most American comment I've read all day, and that's saying something!

[unishark]

It differs from blackmail because you the sick person are the one requiring others to perform a service for your benefit. With blackmail (and generally extortion) you are threatening to take an action unless someone pays you not to.

[phkahler]

Oh I completely agree, that's why I said "can also be like blackmail". Key word "like" because it does differ in the exact way you describe.

So in this threads context, "hey I found a vulnerability in your infrastructure, you could pay me for it" does not actually constitute blackmail unless they actually follow it with "I'm selling to the highest bidder which may not be you".

[singingfish]

Here in Australia the state funds most medical care. In this case the blackmail vector, if we use that interpretation is the taxation system.

[sjwright]

And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.

https://en.m.wikipedia.org/wiki/Pharmaceutical_Benefits_Sche...

[webmaven]

> And we (Australia) blackmail drug makers: sell your drugs to us at a certain price and the Government will heavily subside it and you’ll get big sales. Refuse and it will get zero subsidy and nobody will buy it.

The blackmail version is actually "Refuse, and we'll produce a generic version locally and perhaps even export it to any country that wants it."

https://www.wired.com/2006/12/indiadrug/

[karaterobot]

Blackmail with a bit of overhead tossed in then. At least most hackers keep the costs down and pass the savings on to you!

[singingfish]

I don't think state funded healthcare works the way you think it does. The american system is the most economically inefficient system out there, to the extent that people without experience of other systems likely end up with highly distorted perception.

Note that a mixed economy (combined public/private funding, like the french and australian systems) are probably for the most part the most economically efficient. A big problem in australia is over-provision of services, especially ending up getting more pathology tests than strictly necessary.

[karaterobot]

Just a joke!

[comprev]

That statement is so true it's terrifying.

[phkahler]

The thing to remember is that the universe does not care, and nobody owes us anything. That's what's really terrifying until you come to terms with it.

[LockAndLol]

So, what is your proposed solution for people who find security vulnerabilities in systems? Keep in mind these vulns are worth money in the black market.

[chii]

If the gov't stops prosecuting the security experts for selling the vulnerability on the black market (but instead, only prosecute those who use it for illegal purposes), then the security expert can find out the true value of a vulnerability.

This makes the company with said vulnerability pay the true price for it - may be even just purchase it on the black market and outbid the "bad guys". Or pay someone to fix it asap before it's sold.

[singingfish]

I suspect that decent bug bounties, and therefore engendering more competition between white hat and black hat activities is probably the best way to go.

[ajkjk]

What does it mean to be a moral philosopher 'by trade'?

[singingfish]

employed (by a university) as a moral philosopher. Interestingly the institute they work for is ethically dubuous (because of how it's funded, not the teaching content)

[outoftheabyss]

Unemployed

[ineedasername]

It's a rather small field, but IIRC, I had a philosophy professor in college whose specialty was the Ethics, and he had a sideline consulting with hospitals as a medical ethicist. He was also brilliant-- In the course I took with him we covered scientific ethics, one of the more memorable of my academic experiences.

[foldr]

Presumably that they're an academic moral philosopher.