Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Bug bounties are sensible, but price-matching seems too easy to game. How can the company know a bid is serious, and not just fake to be matched? "Oh, sure, so-and-so offered $200k for this bug."

(For that matter, while reputation is certainly a thing, what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix? Do the typical contracts to sell 0-days involve continued payment based on the amount of time the bug remains unfixed?)



I'd care a lot more if Adobe, et al, weren't repeatedly screwing up. A couple million dollar bounties and forcing them to pay to internalize their negative externalities will help create the proper internal focus on shipping secure software. Reputation doesn't show up as a line-item.

And if a security dev resells, who cares? The company still got the 0-day and still gets it fixed asap. It's far better than our current situation where these can persist for years.


> what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix?

People willing to pay 5 or 6-digit sums for a zero-day are likely... not nice. One wouldn't double-cross them willy-nilly. Multiple-sale to multiple third-parties scenarios are likely happening every day, but selling to developers could be considered an act of sabotage against all buyers, so there is no incentive really.


How about an escrow contract using a third party and bitcoin? You could call it silk road 3 Its really not that hard to be taken for a ride if you have the resource adobe does.


If you know a company is legally obligated to pay up to $x, and that they have $x, you can offer to pay $x/1.1 in collusion/partnership with the bug-seller, for a share of the proceeds. You can outlaw the collusion, but setting up this kind of mechanic seems like a bad idea.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: