[smitherfield]

It's hard to think of an easier decision. Get $100,000 for a couple months before you go to federal prison for 30 years, or hire a publicist and get featured on every tech blog in existence as "the guy who found the PayPal complete account takeover bug," and let the 7-figure job offers roll in.

[dsacco]

As someone who has found several arbitrary account takeover bugs impacting >100M users, I can tell you this will give you job offers, but only in the low 6 figures.

With the state of the media in the infosec industry, having your finding widely publicized doesn't mean much, either.

[nmjohn]

> let the 7-figure job offers roll in.

I would know far more millionare engineers/hackers if that was actually true

> go to federal prison for 30 years

If one was talented enough to find such a vuln, it is hardly a stretch to say they would be smart enough to avoid getting caught.

[MichaelGG]

>If one was talented enough to find such a vuln, it is hardly a stretch to say they would be smart enough to avoid getting caught.

... This is plainly not true. First, the ease of finding a bug in a web app varies considerably. This article, for instance, was simply about resending requests quickly. It doesn't necessarily require amazing intellect to come across such a bug. Look at famous "hackers" that dicked around with querystrings and got into all sorts of fun.

Second, even if someone is smart and figures out how to solve a certain problem to gain root, it does not mean they're clever, aware, or dedicated enough to maintain opsec. One mistake, any time, and you're toast.