8 comments

[ 3.0 ms ] story [ 30.4 ms ] thread
Is it just me, or I don't see anywhere in this interview that they actually paid up...
I was wandering the same thing - I remember their blog said "they were investigating whether or not contest rules had been followed". Which is kinda stupid, since attackers don't follow the rules, and could make more than $10,000 by NOT telling you about the vulnerability.

Anyway... I really appreciate his emphasis on never expecting things to be "bullet proof". People need to remember that more.

They're also totally alienating an important part of the market imo.
Is anyone interested in the value provided by Firehost? They seem to have the expertise.
Firehost is a new company but their advantage is they built their infrastructure starting with Security and that's their core focus
Cool stuff, but I disagree with Lance's last word. The public (not the technically inclined) is going to expect "bullet proof" performance, so saying you aren't is going to hurt you.
This is a great hack. The company received a message claiming details proving an XSS vulnerability, but the details did not in fact exist until they followed the instructions in the message with the vulnerable interface meaning that in effect the email acted like a call to a function returning a promise[1] which was fulfilled when the message was read.

1- http://en.wikipedia.org/wiki/Futures_and_promises