[chaz]

> I wrote a full disclosure post 5 minutes after finding the bug because twitter doesn't reward "bounty hunters".

Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.

https://about.twitter.com/company/security

[doughj3]

> Companies without bug bounties don't deserve responsible disclosure?

That seems to be homakov's view, yes, and I can't say I don't understand his view.

[md224]

Of course you understand it, but do you agree with it?

If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.

If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.

[drewcrawford]

Well given that homakov has found this bug, there are a few possibilities:

A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter

B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company

C. Homakov could practice full disclosure

This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.

[md224]

> This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but that's hardly homakov's problem as a third party.

Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure.

[drewcrawford]

Well I think we are blurring two different issues here. The first question is whether or not full disclosure is acceptable. The second question is whether or not it is acceptable to choose it because one is not being paid.

As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.

Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.

You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.

[jkrems]

Your analogy is missing the public interest: the business is the postal office or similar and has all the neighbors mail laying around. Does not affect your point though (still not okay to just announce it to the neighborhood).

[ivanca]

Do you become a little more recognized by your peers by publishing that the door is open to your neighborhood?

Are people going to get killed or lose a lot of cash by knowing how to send unsolicited private messages on twitter?

Like most analogies; it shows your bias rather than some enlightenment on the subject.

[bigiain]

And:

D. He could have sold the discovery to someone who'll pay him for it, then have them go on to abuse it to send DM spam to twitter users.

I have no doubt at all that homakov could have sold his discovery for at least as many dollars as any of the well known bug bounties would have rewarded him - if his motivations were purely mercenary…

[derefr]

> B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company

This is probably the best option, but only if you approach it the same way most contractors do when offering a discount/free service for a client.

When you do free work, don't say it's free -- instead, say that you're offering a 100% discount. Sent your client an invoice for the price you'd regularly charge for such a thing, with the entire price deducted off at the bottom. Include a note saying that this is an offering of goodwill, and that you hope this will help in building a relationship with them in the future.

Leave the client to decide for themselves whether this means that your future vulnerability reports will come without this discount, and see what they say in response.

[yohanatan]

You're missing a key difference. Twitter didn't commission the work performed here. Sending an invoice for work that wasn't requested is not only dumb, it's offensive.

[hnriot]

what a dumb idea! I can't even tell if you're being serious.

[homakov]

Never tried it but obviously it wont work. It is easier to start with actions than with dialog here.

[tripzilch]

> People really shouldn't orient their moral systems around money.

Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".

I'm not saying I'd do the same in this case, but it's a bit of a stretch to assume people-people morals apply to people-corporate situations.

[md224]

> Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".

I'm not sure if you're trying to highlight an aspect of communal hypocrisy, but I will say that I wouldn't be one of the people shouting back stuff about "shareholder values" in response to a call for corporate social responsibility.

> it's a bit of a stretch to assume people-people morals apply to people-corporate situations

Sure, there's a bit of a power dynamic in play. But we should also remember that corporations are just huge groups of people working together for some kind of common cause. If you do something kind for a corporation (like, for example, responsibly reporting a security vulnerability instead of releasing it into the wild) then you're essentially doing something kind for the people that work there.

I'm not saying anyone needs to go out of their way to be kind to corporations... I'm just saying we shouldn't treat them like they're not "real" and don't deserve a single iota of basic respect. (Of course, if they show a lack of respect to others, that complicates the picture, but the same would hold for "people-people" morality as well.)

[chii]

> If you do something kind for a corporation .... then you're essentially doing something kind for the people that work there.

that is absolutely not true. A person doing a favour for a corporation will not get the result as doing a favour for an individual.

The corporation isn't a group of people - its a group of people under some control of a few. Their common cause is not the common cause of the employees, but that of those few in control. And i said 'is', because the corporation only h as one cause - to make profit, any way possible.

Do not ever place any loyalty, or sympathy for corporations. Do not expect them to behave morally, or altruistically. It will only end badly for you. Try to extract as much value out of a corporation as you can, just as they do to you.

[homakov]

i would replace "company" with "huge company with resources". If it wasn't twitter but e.g. some startup, sure I'd report it like everyone does.

But twitter is like saying "back off, we are huge and we don't pay researchers a cent". So let it be

[sillysaurus2]

Not only that, but if Twitter was feeling cruel, they could drag him through court (if he's based in the US). That would be a nuclear option, but, when your future welfare is on the line, you really shouldn't screw with companies.

Twitter obviously wouldn't drag a hacker to court. I'm saying, in general, don't do this, because other companies might. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case

[username223]

"when your future welfare is on the line, you really shouldn't screw with companies"

Lie back and think of England.

He's not US-based, so he can freely give them the finger. Good for him.

[homakov]

Hm, are you sure cracking password and writing about a bug which you didn't exploit on other users are the same thing?

[sillysaurus2]

Would you like to keep testing whether a prosecutor is daring enough to bring charges against you, especially in this social climate?

It's not paranoia. Once you start straying from the path of responsible disclosure, the path to danger is quite short.

In this case, I think you're in no real danger since it's Twitter. So don't worry. But if it were some other company, though, you wouldn't be able to rely on goodwill to protect you. And without any protections, there's nothing preventing the (extremely powerful) courts from bringing charges. It's happened before; it will happen again.

[homakov]

everything is possible. Furthermore, in Russia where i used to live, they don't need any charges, they can make them up from nothing.

[Myrmornis]

I understand what you say here and below, but basically, whether we wish the world were otherwise or not, when people form corporations a line is crossed, and you enter a game where people will be ruthless in the interests of their own team. Homakov has some information: it's up to him to assess the value of that information and to assess the expected payoff from the different actions he can take. Unless we can make an argument that someone's private life is on the line here then the rules of the business world apply. There's a reason people derided Mitt Romney when he said "Corporations are people too my friend."

[huhtenberg]

Another way to look at it is that if there are no bounties, then the company may not have security issues high on its priorities list.

I'm not saying it's true, but it's plausible that some people in Egor's position think that way. And he seems to like his publicity, so 1+1 = 2.

[sneak]

> Companies without bug bounties don't deserve responsible disclosure?

The term "responsible disclosure" implies that other types are "irresponsible disclosure".

If you discover new information through research, there is nothing irresponsible about publishing it on the open web.

Stop this stupid linguistic battle.

[ronaldx]

Why should companies expect disclosure at all?

The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.