undefined | Better HN

0 pointsimadr1y ago0 comments

I assumed they offered a bounty for bug disclosure? You mean to tell me that an internet provider with 11 billion in revenue can't pay someone that found a bug impacting all their clients?

Frankly he could have just sold the vulnerability to the highest bidder

0 comments

teruakohatu1y ago

They do not:

> Cox does not offer a bounty program or provide compensation in exchange for security vulnerability submissions.

https://www.cox.com/aboutus/policies/cox-security-responsibl...

tetha1y ago

Mh, we have a similar thing on our website at work, but people who found serious issues still got compensated.

One big reason to put this out there: Otherwise you get so many drive-by disclosures. Throw ZAP at the domain, copy all of the low and informational topics into a mail at security@domain and ask for a hundred bucks. Just sifting through that nonsense eventually takes up significant time. If you can just answer that with a link to this statement it becomes easier.

It makes me a bit sad that this might scare off some motivated, well natured newbs poking at our API, but the spam drowned them out.

cqqxo4zV46cp1y ago

Don’t frame a company not parting ways with money that they could hypothetically part ways with as being unusually egregious. That’s never how it works. Not every conversation needs overstated outrage.

bayindirh1y ago

> Frankly he could have just sold the vulnerability to the highest bidder

Why? Ethics aside, is everything money?

robertlagrant1y ago

> Why? Ethics aside, is everything money?

Ethics aside, why not? That's why we have ethics.

mjg591y ago

Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout

1 more reply

pyrale1y ago

Ethics aside, there are many thing that move people, and it's not always money. For instance, selling the vulnerability means the author wouldn't have been able to tell their story.

bayindirh1y ago

Because even if I remove ethics, I can't find a reason for doing something like that.

For me, doing the right thing is beyond all these things, and I don't care about money beyond buying the necessities I need.

2 more replies

imadrOP1y ago

>Why?

So this security researcher can keep doing his research without worrying about paying bills. The company gets cheap security audit, the researcher gets money, everybody wins

naikrovek1y ago

because money grants wishes, and having more money means you get more of your wishes granted.

bayindirh1y ago

That doesn't make me interested. I don't get all excited about the things money can buy.

Edit: As I noted elsewhere, necessities are something else.

3 more replies

unclebucknasty1y ago

>...can't pay someone that found a bug impacting all their clients?...he could have just sold the vulnerability to the highest bidder

This attitude is why "independent security researchers" offering to present unsolicited findings to companies in exchange for payment feels exactly like extortion.

zdimension1y ago

At the same time, Cox is a commercial entity that makes money by providing services. Cyberattacks make them lose money, so it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

We're not talking about a grandma losing her wallet with 50 bucks in it and not giving money to the guy that found it and gave her back.

unclebucknasty1y ago

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

Yes, Cox has that choice. But, what you're describing is the definition of extortion. The fact that it's easy for people to get away with it does not make it ethical.

2 more replies

notactuallyben1y ago

while beg bounty people can be annoying, you have to remember that people aren't obligated to sit down and find free bugs for any company (especially not a big one) - why would i sit down and look at some code for free for some giant corp when i could go to the beach instead?

unclebucknasty1y ago

No, they aren't obligated. So, if there's no bug bounty program in place, then they should either go to the beach or be willing to find bugs for the public good.

The idea that the company owes them anything for their unsolicited work is misguided. And, if they present the bugs for money under the implicit threat of selling the information to people who would harm the company, then it's extortion.

2 more replies

j / k navigate · click thread line to collapse

0 comments

teruakohatu1y ago

They do not:

> Cox does not offer a bounty program or provide compensation in exchange for security vulnerability submissions.

https://www.cox.com/aboutus/policies/cox-security-responsibl...

tetha1y ago

Mh, we have a similar thing on our website at work, but people who found serious issues still got compensated.

It makes me a bit sad that this might scare off some motivated, well natured newbs poking at our API, but the spam drowned them out.

cqqxo4zV46cp1y ago

bayindirh1y ago

> Frankly he could have just sold the vulnerability to the highest bidder

Why? Ethics aside, is everything money?

robertlagrant1y ago

> Why? Ethics aside, is everything money?

Ethics aside, why not? That's why we have ethics.

mjg591y ago

Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout

1 more reply

pyrale1y ago

Ethics aside, there are many thing that move people, and it's not always money. For instance, selling the vulnerability means the author wouldn't have been able to tell their story.

bayindirh1y ago

Because even if I remove ethics, I can't find a reason for doing something like that.

For me, doing the right thing is beyond all these things, and I don't care about money beyond buying the necessities I need.

2 more replies

imadrOP1y ago

>Why?

So this security researcher can keep doing his research without worrying about paying bills. The company gets cheap security audit, the researcher gets money, everybody wins

naikrovek1y ago

because money grants wishes, and having more money means you get more of your wishes granted.

bayindirh1y ago

That doesn't make me interested. I don't get all excited about the things money can buy.

Edit: As I noted elsewhere, necessities are something else.

3 more replies

unclebucknasty1y ago

>...can't pay someone that found a bug impacting all their clients?...he could have just sold the vulnerability to the highest bidder

This attitude is why "independent security researchers" offering to present unsolicited findings to companies in exchange for payment feels exactly like extortion.

zdimension1y ago

We're not talking about a grandma losing her wallet with 50 bucks in it and not giving money to the guy that found it and gave her back.

unclebucknasty1y ago

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

Yes, Cox has that choice. But, what you're describing is the definition of extortion. The fact that it's easy for people to get away with it does not make it ethical.

2 more replies

notactuallyben1y ago

unclebucknasty1y ago

No, they aren't obligated. So, if there's no bug bounty program in place, then they should either go to the beach or be willing to find bugs for the public good.

2 more replies

j / k navigate · click thread line to collapse