My personal experience. While also pointing out the high amount (66) of exploits that have been found in the past 5 months. And wondering why Facebook is so dependent on these external security disclosures (and pays so little).

Ok thanks.

The answer is in the last two paragraphs of the article, e.g:

> "A nice day's pay, but a paltry fee for pointing out a gaping hole in the security of a social network holding the personal data of over a billion people"

Well, to be honest I didn't know what 'paltry' means. I got that it was negative, but didn't look it up. Now this paragraph is clearer to me.

The other market would pay orders of magnitude more for such an exploit.

Do you know that or are you just assuming that there's an effective black market for all kinds of vulnerabilities, and not just drive-by clientsides?

My bad, I didn't read further. I assumed this was server-side. After reading, 4.5k sounds right from Facebook, and while I'd imagine the other market price to be higher, I don't think it'd be above 3x, much less 10x, without something special (e.g. high-profile user data) accompanying it.

It is serverside (most web app vulnerabilities are). I'm suggesting serversides are worth much less than clientsides.

What I meant is that the user needed to load a flash payload and be logged in properly. The data harvesting happens client-side. The vulnerability itself is server-side, yes, but computers are faster at copying data than engineers are at figuring out what's going wrong. The data you could potentially harvest with an exploit like this, given good planning and enough time to affect a large amount of people, is definitely worth quite a bit of money. This vulnerability could even have helped to make a very convincing phishing attack, which, again, properly executed, leads to very valuable data.

It's not remote execution, but I still think it's valuable.

Stealing a car requires orders of magnitude less money than buying it. Does this mean it is the right way to get a car?

Atoms weigh more than electrons.