I'm not nearly as adept at pentesting but out of curiosity, is there an established point at which you just don't go and farther? Like a point between "get a $5000 bug bounty" and "CFAA charges and prison time"? The author mentions this at one point but it seemed like more of a gut feeling of not being too intrusive.
When I read about this stuff, it seems like half of the articles end with some company either patching or not patching their security holes with some tester maybe making some money and the other half end with someone being charged for accessing public-facing data that wasn't meant to be accessed.
1. Does pursuing the vulnerability further benefit the research?
2. Would it cause any damage?
If the answers are yes and no, I'll happily see where it takes me and re-evaluate as I go on. With bug bounty programs it's generally expected that researchers are going to poke and prod at things which they otherwise shouldn't, although some programs do specifically state their objections to pursuing issues further. Facebook, for example, would rather you find an issue and report it straight away while others might admire your creativity to show exactly what an attacker could do.
These programs are great in the sense that companies are starting to accept security research and appreciate responsible disclosure instead of non/full disclosure.
However, and I know this is not a popular opinion and that most people argue they do it "just for fun". But in my mind the "just for fun" argument is nothing more than an excuse for letting large corporations* use you. Seriously, swag? Your hourly salary is minimal wage. What about all the time you spend studying? You should get payed like everyone else. Even if you really think it is that much fun, why wouldn't you want to be able to make a living out of it? Your knowledge should be (and are!) valuable.
I don't really have a solution. Maybe time is the answer. Globalization does not make it easier as the bounties are quite large from the perspective of some countries.
What do you guys think? I think it is time we start valuing our knowledge. No one will do it for us.
* If it is a start-up, non-profit, or a corporation you believe makes the world a better place the situation is different, obviously. Nothing wrong with volunteering your knowledge.
Cyber security is a paying profession and I don't think bug bounties undercut that. A company that's not willing to pay and wants to put in place a bug bounty will get what it pays for, which is a mystery to them and us. Others will pay.
Fin Tech companies, for instance, have regulations that require a professional audit every year. We recently paid out over $25k for one of them (and it was worth it, their guys found some extremely subtle vulnerabilities).
Also hacking on sites for fun and profit is fun and something some people like to do in their spare time. So some people are gonna do it no matter what.
Congratulations on being such a Nice Guy. Do you feel good about helping an unassailable and unaccountable titan of a given niche further cement their dominance, and getting practically nothing in return?
The alternatives are to be a criminal or let tens if not hundreds of thousands of users risk being compromised. I rather dislike Imgur - but if I discovered a vulnerability I would still report it to them.
6 comments
[ 2.4 ms ] story [ 22.4 ms ] threadWhen I read about this stuff, it seems like half of the articles end with some company either patching or not patching their security holes with some tester maybe making some money and the other half end with someone being charged for accessing public-facing data that wasn't meant to be accessed.
1. Does pursuing the vulnerability further benefit the research? 2. Would it cause any damage?
If the answers are yes and no, I'll happily see where it takes me and re-evaluate as I go on. With bug bounty programs it's generally expected that researchers are going to poke and prod at things which they otherwise shouldn't, although some programs do specifically state their objections to pursuing issues further. Facebook, for example, would rather you find an issue and report it straight away while others might admire your creativity to show exactly what an attacker could do.
However, and I know this is not a popular opinion and that most people argue they do it "just for fun". But in my mind the "just for fun" argument is nothing more than an excuse for letting large corporations* use you. Seriously, swag? Your hourly salary is minimal wage. What about all the time you spend studying? You should get payed like everyone else. Even if you really think it is that much fun, why wouldn't you want to be able to make a living out of it? Your knowledge should be (and are!) valuable.
I don't really have a solution. Maybe time is the answer. Globalization does not make it easier as the bounties are quite large from the perspective of some countries.
What do you guys think? I think it is time we start valuing our knowledge. No one will do it for us.
* If it is a start-up, non-profit, or a corporation you believe makes the world a better place the situation is different, obviously. Nothing wrong with volunteering your knowledge.
Fin Tech companies, for instance, have regulations that require a professional audit every year. We recently paid out over $25k for one of them (and it was worth it, their guys found some extremely subtle vulnerabilities).
Also hacking on sites for fun and profit is fun and something some people like to do in their spare time. So some people are gonna do it no matter what.
The alternatives are to be a criminal or let tens if not hundreds of thousands of users risk being compromised. I rather dislike Imgur - but if I discovered a vulnerability I would still report it to them.