[Irregardless]

Less money = less incentive = fewer disclosures = less secure.

Facebook is abusing the good will of white hats by offering such trivial sums, and they're reducing the security of their platform in the process. They have how many $100k+ engineers who couldn't find this? And how much does the average security breach cost per record, $100-$200? This exploit alone could have exposed them to millions in losses at that cost.

This is what turns white hats into black hats, and I wouldn't blame the guy for selling his next exploit rather than disclosing it. A famous guy once said "we create our own demons". And then the guy in Iron Man 3 said it. And now I'm saying it.

[tptacek]

"Trivial sums"? This is squarely in line with what Google pays for vulnerabilities. Who is paying drastically more for website flaws?

And, because you think the thank-you Facebook offered was too low, you wouldn't blame him for selling vulnerabilities to criminals? Really? Selling vulnerabilities to criminals is itself a crime.

[dkokelley]

> Who is paying drastically more for website flaws?

Black hat markets, presumably. At least that is the point being made by commenters here. Granted, selling the vulnerability is illegal and immoral, but that doesn't stop it from happening. The 'market rate' for vulnerabilities seems to be higher than what Facebook and Google are paying out.

[tptacek]

Why do you "presume" that? Not all vulnerabilities are equally valuable, and the value for a vulnerability is not as straightforward as people here seem to think it is. Or at least, I don't think it is.

[dkokelley]

I use the word "presume" because I don't frequent black hat markets and I have no personal experience with current pricing. The general agreement I'm seeing in the comments (and anecdotes gathered elsewhere) is that exploits and vulnerabilities command a higher price when sold to black hats rather than responsibly disclosed through a bounty system. (Isn't this what the grandparent and article are implying?)

This makes sense economically to me. In order for it to be worthwhile for a vulnerability discoverer to sell the exploit, the reward should overcome the cost. In this case, the cost is the probability of getting caught multiplied by the severity of the punishment.

[grkvlt]

> Granted, selling the vulnerability is illegal

Really? That's exactly what you're doing with Facebook - selling a vulnerability to them, which they then pay you for. So, disclosing to some third party ought also to be fine. The morality or otherwise is up to you though, I guess...

EDIT - I just read @tptacek's reply below. I guess that selling to known criminals, with the knowledge they would use the exploit to commit a crime, _is_ going to be illegal most places.

[tomjen3]

How is it a crime to sell a security flaw? It is just knowledge that you found yourself (as opposed to was told under an NDA, in which case it might have been).

[tptacek]

It's not a crime to sell a security flaw! It is, on the other hand, probably a crime to abet computer fraud, which is what you'll have done if you accept money from someone in return for an exploit you had that they subsequently use to break into Facebook.

[tomjen3]

That could be stretched to making it a crime to sell maps (plan a getaway), kitchen knifes (stabbing) or gasolin (arson).

[analog]

It would fall under 'conspiracy' in most jurisdictions.

[napoleond]

Selling vulnerabilities to criminals is itself a crime.

'daeken seems to disagree with you[0]. Is he correct, or is the "to [proven] criminals" in your statement important?

0. https://news.ycombinator.com/item?id=5799382

[tptacek]

Simply selling vulnerabilities isn't criminal (it's a bit of a grey area, but if I didn't have ethical issues with the practice, it's so far onto the "safe" edge of the spectrum that I'd be fine with assuming the risk.)

Selling vulnerabilities to people you know to be criminals, or to people a prosecutor can convince a jury a reasonable person would have known to be criminal, probably is a crime.

[josh2600]

Joe Sullivan, Director of Security at Facebook said publicly during the SF New Tech Security event this Wednesday that Facebook purchased the Java 0Day run in their training exercise[1]. I guarantee that 0Day was more than $5000.

[1]http://arstechnica.com/security/2013/02/at-facebook-zero-day...

[tptacek]

It may have been, it may not have been (we don't know the terms), but it was a clientside driveby RCE, not a web app bug.

[daeken]

The "to proven criminals" is key. Many people in the industry make a lot of money selling to governments and private companies like Vupen.

[csoghoian]

And by many people, you include yourself, right?

Long before you disclosed the vulnerability in Onity hotel locks to the public, the startup you had co-founded "licensed" the same flaw to Lockmasters Security Institute, a company that trains law enforcement agencies, special ops, and intelligence agencies in covert entry techniques.

You gave LSI's government customers a pretty big head start before you bothered to disclose that flaw to the general public.

[daeken]

Yes, I do include myself in that.

[tptacek]

Exactly what was the point of this comment, Chris? He wasn't making judgements. He was explaining something that he has personal experience with.

[csoghoian]

If researchers in this community are going to sell security vulnerabilities to the government, I think that fact should be well known.

daeken's work on hotel locks got a lot of press, but the fact that he had two years earlier sold that info to a company for "law enforcement purposes" hasn't gotten nearly the press attention it deserves.

Martin Muench and Chaouki Bekrar have openly embraced what they do. As much as I dislike the path they follow, I have to at least respect them for being up front about the business they're in.

If you're going to help governments covertly break into people's homes, computers, and smartphones, you should wear it with pride.

[onedev]

What an absolutely retarded argument.

As someone mentioned above, apparently this is the same amount of money that Google offers for security exploits. How is it any different?

Also how much money do you expect? You should expect NO money for doing the right thing. Rewards like these are simply gestures of goodwill and you should thank Facebook for even offering something like that.

Giving such exploits to the black market is WRONG. It's morally unjust. Money shouldn't change the situation any more.

[khafra]

On the other hand, I feel significantly more secure on facebook than on paypal.