undefined | Better HN

0 pointsjonahx12y ago0 comments

You're sort of just re-stating the question. I think everyone understands that's the way things are. The OP is saying that the way things are doesn't make much sense.

My guess is that the thinking goes something like this: White hats aren't going to hack us anyway, and will be fine with the tiny rewards we give them. So there's no reason to increase the rewards for them. Black hats probably aren't going to be dissuaded even by very high rewards, or perhaps even with high rewards they'd try to have their cake and eat it too, selling exploits first and then reporting them. Basically, they can't be trusted so trying to buy them off with a fair-market price isn't even worth it, so we may as well ignore them in our pricing strategy.

I don't know if that reasoning is correct, but I think approximates the thinking that leads to the status quo in this case.

0 comments

1 comments · 1 top-level

tych012y ago

I doubt it. Why wouldn't github want to pay more so that black hats also sell them bugs? Indeed, these are the very bugs that are going to be exploited, so it makes perfect sense for them to pay whatever it costs.

The real reason is probably: because nobody else does. I think it is doubtful black hats would sell their bugs to github unless github was paying 2-3 times the market rate, since the black hat can sell the same bug to multiple people.

j / k navigate · click thread line to collapse