Hacker News new | past | comments | ask | show | jobs | submit login

I'm betting on insider access. Microsoft had to lock down internal access to their security bugs when some employees were selling the bugs on the black market.



For what it's worth, Mozilla locks down internal access to security bugs too. I can't see those bugs, which is exactly how it should be, as I have no need to know.


How many people can read these?


As a Mozilla employee I can say that I was in the security group but lost access at some point since I wasn't very active.


How’d you get access in the first place?


I helped out with UI related security bugs (e.g. address bar spoofing) which we had a bunch of at the time.


I don't know.


Do you have a source for that? Google's not giving me anything. I'd definitely like to know more - I can't help but wonder how widespread that kind of behavior is.


Locking security bugs from wide internal read access has been SOP everywhere I've worked for decades.


I think they're asking for a source on the specific claim about Microsoft employees selling bugs on the black market, which is what I would also like to see.

I don't need to be convinced that security bugs should be on a need-to-know basis during the responsible disclosure period, that seems obviously prudent. Anyone not working specifically on security can learn about the details at the same time as the wider public.


I don't know anything about that event, but it reminds of me when 20 Apple contractors had a scheme selling Apple user data for $7M.

https://www.nytimes.com/2017/06/09/business/china-apple-pers...


No source, but I'd be willing to bet it's very widespread.


If it is insider access they will be caught.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: