[sdegutis]

> $4000 reward is OK.

$4000 !? Wow, I'd love to be able to make $4000 on the side just doing what I love.

> Interestingly, it would be even cheaper for them to buy like 4-5 hours of my consulting services at $400/hr = $1600.

This sounds like a pretty clever strategy for marketing yourself as an effective security consultant.

EDIT: $4000!? wow. so money. such big.

[eli]

Repeatedly and publicly demonstrating how good you are is probably a good way to market yourself in any field.

[sdegutis]

I will certainly have to try it. Although by doing this with programming, it's probably not as easy to get to the top of HN.

[nicholassmith]

I'm pretty sure Egor's first language isn't English, so OK might mean 'meh it's alright' through to 'hey this is great'. I know a few non-native speakers who do similar things.

[homakov]

OK means it's OK but could be better :P

[nicholassmith]

Straight from the source, thanks Egor. Great blog post as well, your explanations are really easy to follow for a non-security researcher.

[Intermernet]

I agree... How much could you have sold that exploit for on the black market?

http://krebsonsecurity.com/tag/0day/

[coherentpony]

According to his website, the minimum time you can buy services for is 8 hours so I'm not sure what he means here.

[claudius]

8 hours at 400$/hour will still only be 3200$ and he can presumably spend the remaining 4-3 hours doing more security analysis with less overhead, so it might still be cheaper to hire him as a consultant.

[homakov]

Exactly. + if github would really ask me for consulting I'd consider working for free, just for a testimonial.

[zaidf]

I have a question for you! Roughly how many hours do you think you've spent looking for bugs on github before you found these stream of exploits?

[homakov]

0. I spent less than an hour last year because there was no proper motivation.

[zaidf]

Ah. How did you get the motivation now? How long did it take to find these bugs?

[arnarbi]

But they'd have to pay those $3200 without knowing if there were results. They might have to pay dozens of such consultants before one of them found bugs like this. Bug bounties, paid only on successful discoveries, are much cheaper.

[aidos]

But also much riskier. What if it transpires that the $4000 isn't enough? We know roughly what they're paying now, so when people find an issue like this they know they could sell it for much more.

[shawabawa3]

Of course, there's probably also a large chance that he finds nothing in those 8 hours

[homakov]

"nothing" never happened IRL. I either work extra for free trying to find more, and punch myself until I find something.

[avenger123]

Really great attitude.

I would make this your tagline in some way -

"I will find vulnerabilities. If I don't, I will become a vulnerability to my own body and attack myself until I do!"

[saturdayplace]

Did we really just make an "In Soviet Russia" joke? That was appropriate? Man, I love this place.

[fooqux]

There are always n+1 bugs. I presume the same could be said for security holes- especially considering they are sometimes the result of bugs.

[georgemcbay]

True, there are always bugs and security issues, but security issues tend to ramp even quicker than general bugs up from trivial to find to very, very difficult to find, so finding bug n+1 may be substantially harder than finding bug n.

Given a reasonably competent development team, you can usually make a first pass and find quite a number of low-hanging fruit security issues. Everyone makes mistakes, especially when under pressure to get a product out. Once those are gone you can use fuzzing and/or static analysis type techniques to find another set, but after that you get to the point where the bugs start getting quite obscure and require a fairly deep knowledge of how the system works so you can start stringing multiple problems together to get to a real security issue.

Of course this can be offset somewhat by the fact that software is usually a moving target, so if you're security testing a live, active codebase the developers are likely introducing new issues all the time, though hopefully at a reduced rate as they learn from their previous errors.

[chrisrh]

Perhaps that was not the tone intended. Or perhaps relative to the damage he'd be capable of causing $4000 is small.

[danso]

For some context, checkout homakov's compilation of white-hat "hustlers" and the bounties they've received:

http://www.sakurity.com/hustlers