Send him an e-mail saying, "Hey, I sent you $100. I would deeply appreciate it if you spent it on your beverage of choice, or a nice dinner with a friend, rather than on necessities."
Charging $400/hour does not mean he does not need extra money. His nature of business is a short term projects, it's not like a regular web developer who has to work 40 hours a week for many month to finish a project, he only does audits which don't last long because of that you see this "high" (I personally don't think it's high) hourly rate.
It's actually a good strategy to price high hourly but over-deliver (doing lots of free work behind the scenes, or speculative unpaid work, etc.) -- rather than the market-clearing rate of ~100-150/hr, at least when you're trying to build a brand. At $400, he's clearly a specialist, and will get more interesting work; at $100/hr, you could hire him and just treat him like another developer, have him do cookie-cutter assessments, etc.
Personally, I think he'd make more money at $400-600/hr if he could also get some kind of manager to handle the interactions with clients; it doesn't seem to be what he enjoys, or is particularly good at.
(I've had drinks with him before, so probably the most effective way to accomplish my goal is to buy him drinks when I'm in town.)
Personally, I think he'd make more money at $400-600/hr if he could also get some kind of manager to handle the interactions with clients; it doesn't seem to be what he enjoys, or is particularly good at.
Completely agree. I'm not doing security, but my hourly is similar, and it was a game changer for me to have someone in a manager-like role working with me. Client relations are a huge time suck, but are also absolutely necessary. If he can find someone (or maybe someone on HN should volunteer), it'd be more than worth it.
BTW My manager takes a flat 15%. I'm much happier, clients are way happier, and my total income has increased as a result—not to mention another person is gainfully employed at something they're good at and enjoy. A win-win all the way around.
At least in my experience, I donate to groups that do good work but aren't getting paid for it. I wouldn't donate to people who are being paid (quite handsomely, in this case) for their labor. Especially when he's already clarified that GitHub paid him more than he thought his time was worth.
Perhaps you could clarify that part in your future posts, to appease the Internet haters on both sides. "I do paid contract work. However I also spend lots of time fixing open source stuff for free. If you want to encourage me to keep doing the latter, here's how to donate."
Donate or don't donate, that's your call. But why are you complaining about him asking for a donation? Why try to "shame" him? What is he doing to harm you?
Not sure why you're viewing my comment with such hostility. I was mistakenly under the impression that most of his work is contracted / bounty. He's already clarified his reason for accepting donations below, and I understand. I just think the placement/wording was less than ideal.
I doubt Egor is being paid for posting these summaries to his own blog for all of us to see. Even if he weren't contributing code to various libraries and applications, these write-ups are a great benefit to everyone else who has yet to be a target.
Although you probably should factor in the possibility of several years of compulsory $0.30/hr labour, plus forfeiture of all your ill-gotten gains (and probably some healthily-gotten ones too, they're not so fussy)
And that's before legal costs and possible restitution.
Sure, I had a similar first reaction, but thought about it. If you have skills but haven't yet developed a deep-enough client base, you're in a quandary. You can't bill for $10/hour, or no one will take you seriously. You need perceived value, so you have to quote some reasonably high rate, even if you case-by-case discount it or work gratis.
(At least that's how I imagine it must work. I've never consulted.)
I totally believe that he's worth that amount of money. I'm sorry if you thought I was questioning that. I'm questioning the juxtaposition of his hourly rate with a request for donations.
I think the contract makes sense for clients, and the donation makes sense for other security researchers who want an incentive for him to keep publishing ideas.
Understood. But I imagine that his work isn't quite as "steady" as one might expect. He invests time by trying to find security exploits in hopes that the affected company compensates him. He doesn't set his price or even determine if he gets paid for his time.
I think that might be the rationale...or it might just be that he's found himself in a position where he can collect bounties AND donations :).
There were always people complaining "Add a donate address"
Now "why you added a donate address". Oh, Internet.