Hacker News new | ask | show | jobs
by taatof 513 days ago
> From a distance, white hat "vulnerability disclosures" start to look like a protection racket.

A pretty big distance.

If a mobster threatens to burn down a building unless you buy their "insurance", that's a protection racket.

If someone finds a major fire code violation and threatens to tell the fire marshal about it unless they fix it within a certain timeframe, that's not a protection racket, even though there's technically a threat involved. If the building owner is a dick about it, then next time that person will probably just go directly to the fire marshal.
1 comments
sdwr 513 days ago
If the reporter is trying to get paid for not reporting, that's blackmail. If the blackmail is organized, it's a racket.

Plus, if the attack surface is huge and/or fractal, you will never run out of exploits. The more you pay people to find them, the harder they look...

link
taatof 513 days ago
> If the reporter is trying to get paid for not reporting, that's blackmail.

That's not what happened here and isn't usually what happens, though? The reporter usually gives a timeline for fixing the bug before reporting externally, and often extends that deadline if it's clear the Company is working on it. This is separate from bug bounty payments.

> The more you pay people to find them, the harder they look...

Yeah... that's the point...

link
lodovic 512 days ago
People will look for bugs regardless, better incentivize them to report to you first
link