HN, I am wondering about your thoughts on the $5500 bounty. This is a bug that affected third party system on Facebook's servers, and the network was locked down. I could have gained access to resume analysis software and maybe resume uploads themselves. There was a small to none chance I could get Facebook internal code or binaries. So, was the bounty enough?
Neither here nor there regarding compensation, but if I were to describe this for the purpose of e.g. a resume, I do not think "I demonstrated a vulnerability allowing one to root a facebook.com server and thereby compromise any Facebook user" is an exaggeration. You're most of the way there, and while developing it further might be a fun exercise, from their perspective it should be a mostly forgone conclusion that you'll win.
Did you report it to Facebook, rather than sell it on the market? Yes? Then it was enough, by definition.
Honestly, resume uploads are unlikely to be worth much. The resume analysis software either. What information there is worth anything to an unreputable buyer?
It absolutely doesn't follow that it was enough. Someone might report it to facebook rather than sell it on the market out of principle regardless of the bounty, while still thinking that the bounty is way too low relative to the severity of the issue. (What's more, the size of the bounty might be revealed only after it's been reported.)
However, I'm unsurprised to find such reasoning on HN.
Actually, if the goal of a bounty program is to get reports instead of wild exploits, the only metric of success is getting the reports. In the case that someone would have reported it for reasons other than the bounty, the bounty is not only too much, but completely wasted.
How can you say it's completely wasted? This guy just blogged about getting $$$ from facebook, and it hit the front page of HN. It might inspire others to also report vulnerabilities. And conversely, if he was looking for bounties and didn't get any there would instead be a front page HN story about facebook not paying bounties.
That only holds if those bug hunters who read this consider the payout fair. Otherwise, they may decide not to spend time hunting on Facebook or may decide not to report bugs found in favour of the black market.
> What's more, the size of the bounty might be revealed only after it's been reported.
There's more than enough information on what Facebook tends to give out on various types of vulns. I wouldn't be surprised if there's a website out there that aggregates this sort of information. Even if you don't know precisely what you'll get, you'll at least have a rough idea.
> However, I'm unsurprised to find such reasoning on HN.
Honestly, as someone who is decidedly not a capitalist usually: either the bounty is a token "thank you", or it's a capitalist-minded attempt to get people to report vulns rather than ignore them or sell them on the market. In the former case, the amount doesn't really matter so long as it's not insulting, and in the latter, my argument that if it gets people providing vulns, it's enough, applies.
It's specifically not "payment", because payment-for-services requires that services were actually and specifically requested. It's a reward or a "thank you", and should be thought of as such - perhaps similarly to a reward for finding a lost kitten.
Parent's talking about the amount to achieve a goal, you're talking about what's fair. The two are valid, they just shouldn't be mixed up. The problem with the latter, of course, is that there's no objective measure, but you certainly can't assume the receiver is necessarily reasonable in his assessment.
Well, they had to figure out what was going on with software from a 3rd party vendor. That likely adds overhead.
But hey, I'd break all kinds of functionality temporarily to make sure this exploit - which as is explained, looked worse than it ended up being, wasn't actually as bad as (or worse than) it did look.
I agree with this, too. Personally, I would probably do the same. A day of breaking small part of site vs killing local file read seems like a good trade.
