undefined | Better HN

0 pointsAurornis2y ago0 comments

> When you turn actual, creative and exhausting work (vulnerability research) into some kind of high stakes gig job you deserve this problem.

You don’t make HackerOne your primary source of security testing. It’s a fun thing you do in addition to your formal security work internally.

The reason people do it is because so many people expect or even demand payment and public recognition for submitting security issues they found. Just look at how many comments in this thread are insisting that they pay the author various amounts of money. The blog post even has a line about how they have not provided recognition (despite being posted exactly on the day it was fixed, giving the company almost no time to actually do so).

HackerOne style programs provide a way to formalize this, publicize the rules (e.g we pay $25K for privilege escalation or something) and give recognition to people finding the bugs.

Pentesters like it not only because they get paid, but now they can point to their record on a public website.

This isn’t a “gig economy bad” situation.

0 comments

1 comments · 1 top-level

j0hnyl2y ago

Furthermore, companies that don't already have very mature security programs will not benefit from bug bounties. I've run a bug bounty program before on H1, and it was a nightmare. No one reads the scope and you're inundated with 99/100 really trashy reports. Managing such a program is a full time job for one or more people especially if it's a big company.

j / k navigate · click thread line to collapse