| ▲ | normie3000 20 hours ago |
| Cool bug. Bug bounty money is pathetic. |
|
| ▲ | bytecauldron 20 hours ago | parent | next [-] |
| I was going to ask. Isn't 4k from Discord pretty low for the work conducted here? I'm not familiar with bounty payouts. I'm hoping these companies aren't taking advantage of them. |
| |
|
| ▲ | tuesdaynight 20 hours ago | parent | prev | next [-] |
| What is the reason for the low values? I would understand if it was a small company, but we are talking about Discord here. |
| |
| ▲ | charlesabarnes 20 hours ago | parent [-] | | Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached. | | |
| ▲ | Aachen 2 hours ago | parent | next [-] | | Not sure what risk but for me it would be morals I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that | |
| ▲ | jijijijij 18 hours ago | parent | prev | next [-] | | That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least. | | |
| ▲ | Aachen an hour ago | parent [-] | | That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well |
| |
| ▲ | tptacek 19 hours ago | parent | prev [-] | | What "grey market" are you talking about? How specific can you be about it? | | |
| ▲ | jfindper 19 hours ago | parent [-] | | I know you love asking people this question, so sorry to spoil your fun, but you know just as well as I do that there isn't really a "grey market". | | |
| ▲ | tptacek 19 hours ago | parent [-] | | There absolutely is. I'm just not familiar with one that buys these vulnerabilities. |
|
|
|
|
|
| ▲ | some_guy_nobel 9 hours ago | parent | prev | next [-] |
| What do you expect? a16z-funded and they love to talk about how much they've raised, thought-leader style co-founders, etc. |
|
| ▲ | FloorEgg 20 hours ago | parent | prev [-] |
| Supply and demand I guess. Pathetic for a senior SE but pretty awesome for a 16 year old up and coming hacker. |
| |
| ▲ | tuesdaynight 20 hours ago | parent | next [-] | | You are right, but that could (probably not) make them go for the bad route because they would get way more money that way. 4k for a bug that could take control of your customer account sounds disrespectful to me. | | |
| ▲ | finghin 19 hours ago | parent | next [-] | | Yeah, my read is that the teenage hacker confronted with this ridiculous payslip sees two ways forward: accept the pay cut for the CV benefit of working with bug bounties, or get a bit better at hiding your ass and make them really pay. | | |
| ▲ | james_marks 17 hours ago | parent [-] | | If I were 16, I’d be thinking I just made an obscene amount of money ($4,000!) messing with computers for fun, and got to meet people at a famous company. That’s a free car. Free computer. Uber eats for months. And my status with my peers as a hacker would be cemented. I get that bounty amounts are low vs SE salary, but that’s not at all how my 16yo self would see it. | | |
| ▲ | finghin 14 hours ago | parent [-] | | When I was sixteen I was already familiar with the concept of leverage. I’m not sure if I’d have had the cajones to use it though. |
|
| |
| ▲ | grenran 17 hours ago | parent | prev [-] | | Playing devils advocate but 4k is probably more money than most kids that age have seen in their life |
| |
| ▲ | finghin 19 hours ago | parent | prev [-] | | I hope I'm not assuming too much but I'm really hope the up and coming hacker is smart enough to know that his work was worth more than $4,000. That's 1-2% of an annual SE salary for someone with similar skillset. | | |
| ▲ | MeetingsBrowser 19 hours ago | parent | next [-] | | > That's 1-2% of an annual SE salary for someone with similar skillset. I agree $4,000 is way too low, but a $400k salary is really high, especially for security work. | |
| ▲ | ascorbic 19 hours ago | parent | prev [-] | | And this will help them land that six figure job | | |
| ▲ | bbarn 18 hours ago | parent [-] | | I mean, as a hiring manager, a fresh grad with multiple bug bounties tells me a lot about their drive and skill, so I'd agree. It's a great differentiator. |
|
|
|
