[jqueryin]

If @homakov is finding security holes without access to Github repositories, imagine what he'd find if you had him code audit for a few days... He's clearly been going about this the proper white-hat way and ensuring holes are patched before open disclosure... what's there to lose?

On the flip side, you could go about doing what you're doing under the presumption nobody is maliciously targeting your user base. In this scenario, it's possible you have a couple bad actors that see a net benefit greater than your bug bounties and are silently stealing and selling supposedly secure code from your users. You could be supporting a hacker black market where they sell and trade codebases to popular online sites. Imagine how easy it would be for them to find vulnerabilities in these sites if given access to the source code.

That, my friends, would be a catastrophe.

[GuiA]

I don't get why Github just hasn't hired the guy already.

[Kudos]

In his earlier work at least, he's seemed like a loose cannon.

[igorhvr]

I don't think that is a fair assessment of him, even then.

At any case, I hired him fairly recently for a security audit and he worked quickly, and was very effective (he found several important vulnerabilities and reported them in a crystal clear manner). He was also a pleasure to deal with (no bullshit stance, something I find enjoyable).

The 4000 USD for ~20 hours of work were definitely well spent!

[Kudos]

The parent was asking why Github haven't hired him, not why nobody has hired him. If you remember, Github actually banned him for hacking the Rails account in his pentesting.

[homakov]

There was 2 or 3 cases I regret about. The rest of my work is alright and responsible, no?

[Kudos]

Yeah, the first Github and Rails exploit is the one that still sticks out in my mind. That kind of thing can be hard to shake, but it helps that you were quite young at the time. I'm happy to see you've matured a lot since then.

[tinco]

He was also very young then I believe, now he's realised he can make a lot of money by acting cool and professional so he does.

[Kudos]

And that could be why he might now be considered, but why he wasn't before.

[ADFASFGADA]

I think his behaviour was commendable - he tried many many times to warn, going to multiple people and projects, but they all ignored him - they were too busy being Gem installing Ruby hipster Brogrammers to consider security, and it bit them hard in the backside.

[66d8kk]

I'm incredibly interested in angling my career towards security and have no real experience.

Wouldn't it also be wise to keep people like him 'out of the loop', I imagine it's much harder to audit when they have access to internal code/architecture that would be difficult for an outsider to stumble-upon?

[ojr]

he gets paid $400/hr doing consulting for YC Companies and other startups and companies, he is from Russia, and now lives in Bangkok, when he becomes rich he wants to live in Hong Kong, pretty nice for a 20 year old, I don't see any glaring reasons to work for Github http://egorhomakov.com/

[abcd_f]

$400/hr is meaningless if comes from an one-off gig.

[latch]

That's about $13000 THB / hour. Considering that it isn't uncommon for junior programmers in Bangkok to make (and live on) 20-30K / MONTH....

[ProblemFactory]

400 USD/hour is a great rate anywhere in the world, even the most expensive cities.

But abcd_f's comment is right about one-off 4-hour projects vs. long-term contracting. Non-billable time overhead spent on finding clients, negotiating contracts, mentally switching projects, or just sitting idle can negate the benefits of a high hourly rate.

[teh_klev]

He's mentioned before that he's not into full-time work:

https://news.ycombinator.com/item?id=7136027

[eik3_de]

Completely agree, GitHub private repos are a huge target. Even if you use 2FA, after login it's just a cookie that separates the good from the bad. How could GH improve that? Client-side SSL Certs?

[chimeracoder]

If you're talking about for company projects, the enterprise version of Github is self-hosted (e.g. on a VPN): https://enterprise.github.com/

[ProAm]

People shouldn't trust the cloud for important source storage. Always self-host anything you want to keep private.

[VBprogrammer]

I'm pretty sure many more codebases have been lost through failures to secure internal networks by corporate IT departments than through vulnerabilities in cloud hosting providers.

[ProAm]

I agree. I was speaking more about security than we blew up our own code repository. Everyone has the ability to light their own house on fire.

[Fogest]

I think he is referring to many people failing to secure their networks and having code stolen. It can be just as insecure, if not worse than a cloud provider if done wrong.

[count]

'People' shouldn't 'trust' anything.

Verify.

Important storage can be done 'in the cloud', but you need to audit and verify the cloud vendor is providing the proper controls. Just like you need to do 'privately'.

[cenhyperion]

For code projects that are between me and a couple of other devs, none of whom are infrastructure security experts, I trust a company like Github a lot more than one of us trying to hack something together on a server.

[jethro_tell]

With the exception that if you have three guys hacking something together a dedicated server or a box off your cable modem, with git tunneled over ssh using keys and a proper firewall, you'd probably be miles ahead. That might take you an afternoon to set up with almost no experience.

Not to say that it couldn't be compromised, but your not a target like github might be. If you're working with an enterprise level project with more complex auth and access methods, more users, performance and scaling needs, you'd need a real security implementation.

[ersii]

There's plenty of companies/enterprises that use regular Github private repositories though.

[sebastiank123]

Guys, why are you still hanging out on Github? There are so much better on-premise solutions like RhodeCode (https://rhodecode.com) or Gitbucket (https://github.com/takezoe/gitbucket) existing. And they are even free.

[mpeg]

But hiring him offers no guarantee that he will be able to find any other bugs.

That's the beauty of bounties, it allows people to decide whether they want to do the right thing or not, if there was no bug bounty more people are just tempted to exploit the bug.