[lmm]

You're not entitled to a bounty just because you found a bug. Some companies offer these bounties and it's good that they do, but that doesn't mean every company is obliged to offer them, or that a company that offers bounties for some bugs is obliged to offer them for all bugs.

[shubhamjain]

How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.

[lmm]

Frankly if a taxi driver bitched on his blog about someone doing that I'd be saying the same thing. It's nice when someone gives you a reward for doing the right thing. But you shouldn't act like you're entitled to it, because you're not.

[Semaphor]

> But you shouldn't act like you're entitled to it, because you're not.

Depends where you are. In Germany you are entitled to a finder's fee by law (in the case of the taxi only if the value is > 50€ and only 2.5% instead of the normal 5%)

[kbenson]

That's an interesting point of view. I consider it being a greedy asshole when you feel entitled to a reward for doing the right thing.

[iwwr]

It should absolutely be in the interest of companies to reward security researchers who find flaws in their systems. Otherwise, they will be screwed by the less scrupulous.

[kbenson]

We are talking about different things. Sure it's in the company's best interest, just as it is in the interest of someone that loses their wallet to offer a reward. That said, when nothing is offered up front (possibly because the problem is unknown), to feel entitled to a reward and disgruntled when one isn't offered is not what I would call "moral" behavior, as brought up farther up-thread.

It's moral when you do it because it's obviously the right thing for everyone involved. When there's money involved, that's something else.

[pyre]

Just because you're complaining doesn't mean you feel entitled. If someone is rude to me and I complain about it, and I expressing that I feel entitled to have non-rude interactions with this person? If I post a negative book review am I feeling entitled to a good book?

[kbenson]

But is it rude for someone to not monetarily reward you for doing something good? That's what I was replying to up-thread. To feel you deserve compensation for a good deed when there was no prior agreement as such is indeed entitlement.

This thread hasn't really been about the article for a while. It's been about someone feeling that people that don't reward for good deeds are greedy assholes, which I think sets a bad precedent. If you want to incentivize fine, but let's not confuse that with what the right thing to do is.

How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.

Edit: Fixed truncated second paragraph.

[shiven]

Clearly, you are being sarcastic!

If not, I am amazed by your naïveté.

[tantalor]

That's a false analogy. Taxi drivers are obligated to return lost property, but nobody is obligated to report bugs. That's why you create an incentive to report, i.e., the bug bounty.

"Taxi drivers and owners must return property they find in a taxicab." - http://www.nyc.gov/html/tlc/html/passenger/sub_lost_prop_inq...

[shubhamjain]

Aye! Its not a perfect analogy but I was pointing out why people should reward the guy if he didn't exploit the situation in a wrong way. In this case, it was the whole source available to him. Albeit, he was more or less inclined to report the bug but what if he hadn't and probably sold it somewhere? why shouldn't the company reward for his effort.

[balls187]

Morally: A good deed is it's own reward.

Further: Money doesn't have any owners. Only spenders.

[benjamincburns]

As an aside this very thing is an excellent example of how extrinsic motivators can "poison the well" as it supersedes intrinsic motivation. Dan Pink gave a great talk on this -- http://www.youtube.com/watch?v=tJr9QajdCNc (sorry, I prefer the illustrated version).

[fleitz]

For sure, he's also not obligated to not sell this information to the highest bidder.

[hsod]

He is obligated legally and (IMO) ethically.

[sherjilozair]

> ethically

Double standards.

[hsod]

Can you expand?

[smtddr]

I think he means that if we're not holding Prezi ethically responsible to pay the bounty, then we can't then start saying the researcher is ethically bound not to sell the exploit.

[fleitz]

Exactly, it's just a URL.

Why not sell it? People sell URLs all the time, and bitbucket is clear written intent from the company that they wanted their source control systems accessible to the public else they would not have provided written notice to the world of their passwords.

Surely the creators of the software are competent software experts who fully understood the implications of making their repository public. Surely, they are not asserting that they were so negligent in the performance of their duties as to not check whether the repository would be made public.

Also, they've made numerous written affirmations that the issue found is not a bug, and would not qualify as part of their bug bounty for security flaws.

They are morons and deserve to be hacked because they are negligent and make affirmations that leaving their source control system passwords on public computers is not a security issue worthy of payment. They deem the risk to be so insignificant as to not even be worth $500.

[foldr]

But Prezi aren't ethically responsible for paying the bounty. They stated the conditions pretty clearly and what he found wasn't within their scope.