All that is wrong with bug bounty in a single image \ stacker news ~security

All that is wrong with bug bounty in a single image

1414 sats \ 11 comments \ @r3drun3 16 Apr security

No matter how much effort you invest or how objectively severe the vulnerability you find is, you can always be brushed off with a "We believe is not that serious" or "Someone else has already reported it." Essentially, you're blindly trusting companies to pay you after you did the job and reported to them, with no kind of contract backing the employment relationship.

It's no coincidence that the prices for this kind of information on the dark web are much higher than on official bug bounty platforms: demand is greater, opportunity cost is lower and market equilibrium is more genuine. We need stronger incentives if we want to stay ahead in the cybersecurity war.

view all related items

87 sats \ 0 replies \ @hynek 18 Apr

Trezor is transparent with these discoveries: https://trezor.io/learn/a/past-security-issues

120 sats \ 2 replies \ @premitive1 16 Apr

I wonder if there are any websites for tracking bug bounty submissions, to determine if anyone else had, actually, made a company aware of something.

121 sats \ 0 replies \ @WeAreAllSatoshi 17 Apr

It would be a hacker's goldmine, if this data got out. Basically a listing of verified vulnerabilities.

123 sats \ 0 replies \ @BenAllenG 17 Apr

Another, less moral, but just as interesting would be a trivago/kayak of bug bounties. Compare the prices across the board from the expected darknet price vs the price of reporting it to that sire

73 sats \ 2 replies \ @k00b 16 Apr

It's complicated on their end too. How would they know if you were reporting the same vulnerability from several sockpuppets?

110 sats \ 0 replies \ @kepford 16 Apr

Spam is everywhere and its not easy to solve.

10 sats \ 0 replies \ @BenAllenG 17 Apr

Even though hashing language is very imprecise as I can form the same idea many ways I think hashing your vulnerability and then seeing if that hash has already been reported is an interesting thought experiment

0 sats \ 0 replies \ @Elias 21 Apr

I second you. My friend reported a vulnerability in a popular crypto wallet to the concerned people and looks like they responded saying they aren't able to reproduce the issue. My friend tested on three phone brands and confirmed that the vulnerability is exploitable on multiple devices. The vulnerability still exists and they haven't done anything to fix it since months.

0 sats \ 0 replies \ @zarko 20 Apr

we already lost the cybersecurity war

0 sats \ 0 replies \ @tomlaies 17 Apr

Bug bounties should encourage and incentivize. Not paying because of something secret is baaad practice.

0 sats \ 0 replies \ @Coinsreporter 17 Apr

Who is fighting in this war? What's this war for?

Some pepe often say that Bitcoin is for criminals and there are also people who say Bitcoin is for freedom.

The same is about cybersecurity. Who doesn't want to watch a pirated video just free of cost? Who doesn't do it? Sometimes, it's better to judge everything with a little more rationale, instead of downvoting it straight away.