undefined | Better HN

0 pointstptacek9y ago0 comments

No, there isn't. Even the people who participate in the grey market for exploits (sales that aren't overtly prohibited by law and for which participation would be unlikely to make you an accessory to a felony) are very quiet about it.

But, a good starting point might be the analyses people have done on the Hacking Team leak.

0 comments

XMPPwocky9y ago

What's your opinion on bug bounties for hosted applications v.s. bug bounties for actual pieces of software?

To me, the latter seem like a much more obviously good idea than the former. Notably, issues of somebody going out of scope- like the Facebook issue a while back- mostly disappear. Bounties on things like Chrome seem to be almost drama-free; the worst possible case, aside from somebody 0-daying a bug out of anger, is somebody not getting paid.

rasz_pl9y ago

I seem to remember Miller mentioning in passing he got paid ~50K per vuln (you can guess who paid it by looking up Millers past employers).

j / k navigate · click thread line to collapse