Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.
That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.
That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well
In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.
It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).
> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]
I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P
> Twitter paid these kids each between $1 and $20.
The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)
Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.
> The submission doesn't say they've even contacted Xitter.
This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".
I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that
Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.
That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.
That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well
In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.
It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).
> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]
I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P
https://en.wikipedia.org/wiki/Hacker_ethic#The_hacker_ethics item #4
> Twitter paid these kids each between $1 and $20.
The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)
Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.
> The submission doesn't say they've even contacted Xitter.
This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".
> Get off your high horse
What did I say that made you reply this way?
Not sure what risk but for me it would be morals
I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that
> Selling via grey markets is an option, but many white hats don't go that route due to risk.
I would think that such a sale makes one inherently not "white hat".
What "grey market" are you talking about? How specific can you be about it?
I know you love asking people this question, so sorry to spoil your fun, but you know just as well as I do that there isn't really a "grey market".
There absolutely is. I'm just not familiar with one that buys these vulnerabilities.