| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by rilita 4032 days ago

My focus here is really on highly critical vulnerabilities that affect the public in a negative way by existing. I agree completely that reporting smaller bugs, or possibly large bugs with no hugely negative effects, tends to get you respect and thanks.

Reporting critical ones that results in major changes tends to win hatred and negative attention overall. There is positive mixed in but it does not outweigh the negative.

Possible ways to handle critical vulnerabilities:

1. Sell them to the highest bidder. Typically that bidder is the government. There is an open legal market for this. Result: You make some money, the government uses bugs against people, and you are viewed as a traitor by the software community.

2. Sell them to the black market. This is criminal behavior. Figure this one out for yourself.

3. Do nothing. This is what most people do. Result: You are normal.

4. Use them in some illegal fashion for yourself. ( See #2 )

5. Tell your boss. Result: If you were told to be looking at it, you will get kudos. If you were not, you will get yelled at for wasting time, and told to do #3.

6. Tell the company who makes the software. Result: If there is a bug bounty program and you report it through that, you get a small bit of money ( not worth it ), and it gets fixed. If there is not, your message will likely be ignored.

7. Tell the public. Result: You will be ignored.

8. Tell the public loudly. Result: You will be mocked.

9. Tell the publicly loudly and demonstrate the problem. Result: Everyone will attack you for making it possible for people to abuse the problem.

10. Demonstrate the problem for yourself. Notify the company first anonymously. If they don't listen or do anything notify the public, including documentation of your attempting to notify the company. If the public still ignores you also publish the demonstration. At no point let on who you are; it is just not worth it.

Only #10 is a solution that works in all scenarios, and it brings little reward for the person finding and reporting the issue.

I am obviously ignoring the case where you are hired as a pentester. That is a whole different story.