5 comments

[ 4.8 ms ] story [ 26.4 ms ] thread
Holy crap. $15k for brute-forcing an unthrottled endpoint with GET requests? gratz on that payout
I assume payouts are linked to the severity of the attack rather than elegance.

Also in this case the throttling is an absolute requirement rather than a "nice to have, users set good passwords right?" thing.

What would this vulnerability be worth in the open market? 10 times that? 100x?
I’m sure it would be way less legal that route.
Not the smartest thing, to go posting a photo of one's credit card, considering there are only 999 combinations of the security # on the back. Hopefully Visa is smarter than facebook in this regard.