[imadr]

I assumed they offered a bounty for bug disclosure? You mean to tell me that an internet provider with 11 billion in revenue can't pay someone that found a bug impacting all their clients?

Frankly he could have just sold the vulnerability to the highest bidder

[teruakohatu]

They do not:

> Cox does not offer a bounty program or provide compensation in exchange for security vulnerability submissions.

https://www.cox.com/aboutus/policies/cox-security-responsibl...

[tetha]

Mh, we have a similar thing on our website at work, but people who found serious issues still got compensated.

One big reason to put this out there: Otherwise you get so many drive-by disclosures. Throw ZAP at the domain, copy all of the low and informational topics into a mail at security@domain and ask for a hundred bucks. Just sifting through that nonsense eventually takes up significant time. If you can just answer that with a link to this statement it becomes easier.

It makes me a bit sad that this might scare off some motivated, well natured newbs poking at our API, but the spam drowned them out.

[cqqxo4zV46cp]

Don’t frame a company not parting ways with money that they could hypothetically part ways with as being unusually egregious. That’s never how it works. Not every conversation needs overstated outrage.

[bayindirh]

> Frankly he could have just sold the vulnerability to the highest bidder

Why? Ethics aside, is everything money?

[robertlagrant]

> Why? Ethics aside, is everything money?

Ethics aside, why not? That's why we have ethics.

[mjg59]

Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout

[robertlagrant]

> Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout

Professional value that doesn't translate into money, do you mean? How do you categorise that?

[waterhouse]

I take the "professional value" to mean essentially putting it on your resume, gaining publicity by blogging about it, getting conference organizers to let you give a talk about it, etc., all of which may ultimately increase the money you can earn doing computer security.

[pyrale]

Ethics aside, there are many thing that move people, and it's not always money. For instance, selling the vulnerability means the author wouldn't have been able to tell their story.

[bayindirh]

Because even if I remove ethics, I can't find a reason for doing something like that.

For me, doing the right thing is beyond all these things, and I don't care about money beyond buying the necessities I need.

[WarOnPrivacy]

> I can't find a reason for doing something like that.

Money often starts out as necessity or one of it's close cousins. If I were 1) 8k miles away from my target, 2) in a region with more internet access than employment prospects and 3) needed to eat, I can see a path to profitable disclosure.

> For me, doing the right thing is beyond all these things,

This can be a luxury. After a year or 3 of kids in and out of hunger, what's right can get reframed.

> and I don't care about money beyond buying the necessities I need.

Getting beyond that is the thing.

[robertlagrant]

> For me, doing the right thing is beyond all these things

That...is ethics, no?

[MonkeyClub]

Ethics and character, yes, and an attitude towards life that doesn't regard money as the deeper meaning of everything.

[robertlagrant]

Ethics aside, what is characterful about saying no to money? Should I say no to my salary for character reasons?

[imadr]

>Why?

So this security researcher can keep doing his research without worrying about paying bills. The company gets cheap security audit, the researcher gets money, everybody wins

[naikrovek]

because money grants wishes, and having more money means you get more of your wishes granted.

[bayindirh]

That doesn't make me interested. I don't get all excited about the things money can buy.

Edit: As I noted elsewhere, necessities are something else.

[WarOnPrivacy]

May I suggest a decade of red state hunger-level poverty? My kids and I did it. Three years out of it, I get excited paying utilities on time.

[johnisgood]

I would love to have the money (42k EUR) to buy Scewo, which is an advanced self balancing stair climbing wheelchair. Sadly enough, I doubt I will ever be able to.

[unclebucknasty]

>...can't pay someone that found a bug impacting all their clients?...he could have just sold the vulnerability to the highest bidder

This attitude is why "independent security researchers" offering to present unsolicited findings to companies in exchange for payment feels exactly like extortion.

[zdimension]

At the same time, Cox is a commercial entity that makes money by providing services. Cyberattacks make them lose money, so it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

We're not talking about a grandma losing her wallet with 50 bucks in it and not giving money to the guy that found it and gave her back.

[unclebucknasty]

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

Yes, Cox has that choice. But, what you're describing is the definition of extortion. The fact that it's easy for people to get away with it does not make it ethical.

[bongodongobob]

It's not the definition of extortion. If I walk past a business and notice the locks on their windows are rusted and I happen to be a lock guy and say hey, I noticed your locks are fucked, I'd be happy to consult for you and show you how and why they are broken, that's just doing business. Extortion is telling them, hey, your locks are fucked and I'm telling everyone unless you pay me. It requires a threat.

[unclebucknasty]

You just manufactured a completely different scenario.

The comment I responded to was this:

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

That comment includes the threat ("instead of easily and anonymously selling those").

So, yes. That is the definition of extortion.

[bongodongobob]

I think preventing people from having that incentive vs an actual threat are not the same, which is how I read the hypothetical.

[worewood]

Great response, entirely agree.

[pixl97]

At the end of the day your enemy has no ethics, and we share the public internet with enemies. If paying to find security flaws means it's more likely people will find your flaws rather than sell them to someone that will use them for nefarious means then it is the better bet.

[unclebucknasty]

Making an argument for what's practical and what's ethical are two different things. My comment was about the latter. Yours appears to be about the former.

Ransomware victims have sometimes found it practical to pay the ransom. They're still victims of extortion.

[notactuallyben]

while beg bounty people can be annoying, you have to remember that people aren't obligated to sit down and find free bugs for any company (especially not a big one) - why would i sit down and look at some code for free for some giant corp when i could go to the beach instead?

[unclebucknasty]

No, they aren't obligated. So, if there's no bug bounty program in place, then they should either go to the beach or be willing to find bugs for the public good.

The idea that the company owes them anything for their unsolicited work is misguided. And, if they present the bugs for money under the implicit threat of selling the information to people who would harm the company, then it's extortion.

[depressedpanda]

1. Companies are amoral entities, and given the opportunity have few qualms about screwing people over if they can profit from it. Why do you expect people to behave ethically towards entities that most likely won't treat them ethically?

2. If said person doesn't present the bug to the company, but just goes straight to selling it to the highest bidder it's not extortion. If the company does not provide the right incentives (via e.g. bug bounties), isn't it their own fault if they get pwnd? They clearly don't value security.

[unclebucknasty]

You seem to be saying it's essentially "justified extortion" and not immoral because you've adjudicated them guilty. We disagree.

Not to mention them getting "pwnd" creates a lot of collateral damage in the form of innocent customers.

[imadr]

I would agree with everything you said, If we ignore the fact that the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean for them.

Do you think it's reasonable to say the the ethics of what you call "extortion" should depend with how big the company is? I'm obviously not advocating for making a small company pay more than they can manage

[unclebucknasty]

>the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean

That framing is strange to me. If they want to offer a bug bounty, then they can. But, it's their choice. Maybe they'd instead rather engage a security firm of their own selection.

But, whatever the case, to say "they should pay the money because they can afford to" isn't right to me. I don't believe the definition of extortion changes based on how big the target is or whether it can afford to pay.

In fact, the line of thinking in some of the comments here is so far off from what seems obviously ethical to me that I've had to re-read a few times to ensure that I'm not missing something.