Hacker News new | past | comments | ask | show | jobs | submit login

I think, if this had been abused, Tesla would be out of business.

But the fact that $50000 is chump change for Tesla does not mean it's chump change to the recipient.




It's funny, we always talk about compensating leaders for the value they provide to the company. Yet when it comes to non-leaders, it's transforms into a question of "value relative to their current/recent income".


> It's funny, we always talk about compensating leaders for the value they provide to the company. Yet when it comes to non-leaders, it's transforms into a question of "value relative to their current/recent income".

That's maybe true for founders, but not really for hired executives:

> One major consideration that goes into how much a CEO should be paid is what other companies are paying. Compensation committees benchmark CEO pay against a self-selected peer group -- often 12 to 20 companies that may be of similar size and complexity, and have similar business models, according to Robin Ferracone, CEO of Farient Advisors, an executive compensation consulting firm.

https://www.cnn.com/2019/10/24/success/ceo-pay-packages/inde...


People who assume the world is fair will always find the justifications for why any status quo is valid.


How long do you think it takes for someone to find an exploit? Sure, a long time ago I found problems in web pages by clicking "view source" and going "I wonder what happens if.." and doing POST/GET with a huge buffer, or with "\");...." embedded in it.

These days companies that take their security seriously are hopefully harder to exploit. If it takes someone a couple months of slow fuzzing/etc to find an exploit that is probably below market for the persons skills here in the US.

Maybe a part of these bug bounties should be not only how critical the bug is, but some metric of how much work the individual put in before finding the problem.


Any one individual could put in an arbitrarily huge amount of work, or claim to have, in order find a bug.

How do we classify what constitutes work to find any particular bug?


The bounty was $5,000 not fifty thousand. And frankly that would be chump change anywhere for the opportunity cost.


It was $50,000:

> He didn’t end up getting a new Tesla, but the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

You're looking at the $5,000 bounty awarded for exposing Supercharger-related data that Tesla "didn't want [...] out there", which is obviously a much less severe issue than remote control of the entire fleet.


Ah okay, thank you. Not sure why the $5000 figure stuck with me


No, $5k was for an earlier bug. "the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit"




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: