[claudius]

8 hours at 400$/hour will still only be 3200$ and he can presumably spend the remaining 4-3 hours doing more security analysis with less overhead, so it might still be cheaper to hire him as a consultant.

[homakov]

Exactly. + if github would really ask me for consulting I'd consider working for free, just for a testimonial.

[zaidf]

I have a question for you! Roughly how many hours do you think you've spent looking for bugs on github before you found these stream of exploits?

[homakov]

0. I spent less than an hour last year because there was no proper motivation.

[zaidf]

Ah. How did you get the motivation now? How long did it take to find these bugs?

[homakov]

They launched bounty, this was the motivation to check things i always wanted to check. It took me about 4-5 hours, most of that time I was watching TV shows.

[zaidf]

Awesome, thanks.

[uloweb]

almost $1000/hour for watching TV shows.. nice job)

[foobarqux]

Read the post. They started offering money.

[arnarbi]

But they'd have to pay those $3200 without knowing if there were results. They might have to pay dozens of such consultants before one of them found bugs like this. Bug bounties, paid only on successful discoveries, are much cheaper.

[aidos]

But also much riskier. What if it transpires that the $4000 isn't enough? We know roughly what they're paying now, so when people find an issue like this they know they could sell it for much more.

[shawabawa3]

Of course, there's probably also a large chance that he finds nothing in those 8 hours

[homakov]

"nothing" never happened IRL. I either work extra for free trying to find more, and punch myself until I find something.

[avenger123]

Really great attitude.

I would make this your tagline in some way -

"I will find vulnerabilities. If I don't, I will become a vulnerability to my own body and attack myself until I do!"

[saturdayplace]

Did we really just make an "In Soviet Russia" joke? That was appropriate? Man, I love this place.

[avenger123]

Alright, I had to look this up. Here's some info on these types of jokes.

http://en.wikipedia.org/wiki/Yakov_Smirnoff - referred to as a Russian Reversal

Ok, learned something completely wasn't aware of before.

But, no, no intent to make that kind of joke.

[avenger123]

Not getting you. And no not my intent. What he said was funny and I found it funny. Nothing to do with Russia at all.

[fooqux]

There are always n+1 bugs. I presume the same could be said for security holes- especially considering they are sometimes the result of bugs.

[georgemcbay]

True, there are always bugs and security issues, but security issues tend to ramp even quicker than general bugs up from trivial to find to very, very difficult to find, so finding bug n+1 may be substantially harder than finding bug n.

Given a reasonably competent development team, you can usually make a first pass and find quite a number of low-hanging fruit security issues. Everyone makes mistakes, especially when under pressure to get a product out. Once those are gone you can use fuzzing and/or static analysis type techniques to find another set, but after that you get to the point where the bugs start getting quite obscure and require a fairly deep knowledge of how the system works so you can start stringing multiple problems together to get to a real security issue.

Of course this can be offset somewhat by the fact that software is usually a moving target, so if you're security testing a live, active codebase the developers are likely introducing new issues all the time, though hopefully at a reduced rate as they learn from their previous errors.