[orofino]

I'm confused. If I put code out into the wild, as a website, as an application, as... whatever, I'm supposed to compensate people that take it upon themselves to poke holes in it?

I mean, I appreciate the effort and the time, but just because you run a large web service or any web service doesn't mean that I should pay you for vulns. You should receive my gratitude, anything more than that is being extra nice.

Now, is there value in posting that there is some bounty for these things? Will it result in better, more frequent disclosure and give me the ability to close holes before someone nefarious comes along? Absolutely. Until I do that, people shouldn't speculatively be doing research and then retroactively bitching about how little they got paid.

If you do work like that, please let me know, I've got some projects you can work on that I might decide to pay you for.

[bcbrown]

If you run a large web service, how much is it worth to you for vulnerabilities to be reported directly to you, versus being sold on the grey market to someone looking for an exploit?

[gliese1337]

That is a question you should be asking when you decide to post bounties. It is not a question you should be forced to ask after someone goes and finds vulnerabilities all on their own without your knowledge and then comes to you and asks for payment unbidden. That is called extortion.

[jfoster]

You're right. As a result, white-hats should spend zero time with Yahoo (as the company in the article has indicated they will). The result of that is that only black-hats will be finding Yahoo vulnerabilities. Not a good end result.

What should happen is that Yahoo should have bounties in the first instance. They don't have to, but not having them leads to a bad outcome for everyone except black-hats.

[DerpDerpDerp]

The lesson here is not that there is an expectation of payment - lots of companies don't give bounties.

It's that if you do give a bounty, don't make it an insultingly low value at your corporate store.

[kmfrk]

In the case of Yahoo!, I can follow you to the extent that they missed a branding and recruiting opportunity more than future white hats disclosures.