undefined | Better HN

0 pointsclaudius12y ago0 comments

8 hours at 400$/hour will still only be 3200$ and he can presumably spend the remaining 4-3 hours doing more security analysis with less overhead, so it might still be cheaper to hire him as a consultant.

0 comments

homakov12y ago

Exactly. + if github would really ask me for consulting I'd consider working for free, just for a testimonial.

zaidf12y ago

I have a question for you! Roughly how many hours do you think you've spent looking for bugs on github before you found these stream of exploits?

homakov12y ago

0. I spent less than an hour last year because there was no proper motivation.

1 more reply

arnarbi12y ago

But they'd have to pay those $3200 without knowing if there were results. They might have to pay dozens of such consultants before one of them found bugs like this. Bug bounties, paid only on successful discoveries, are much cheaper.

aidos12y ago

But also much riskier. What if it transpires that the $4000 isn't enough? We know roughly what they're paying now, so when people find an issue like this they know they could sell it for much more.

shawabawa312y ago

Of course, there's probably also a large chance that he finds nothing in those 8 hours

homakov12y ago

"nothing" never happened IRL. I either work extra for free trying to find more, and punch myself until I find something.

avenger12312y ago

Really great attitude.

I would make this your tagline in some way -

"I will find vulnerabilities. If I don't, I will become a vulnerability to my own body and attack myself until I do!"

1 more reply

fooqux12y ago

There are always n+1 bugs. I presume the same could be said for security holes- especially considering they are sometimes the result of bugs.

1 more reply

j / k navigate · click thread line to collapse

0 comments

homakov12y ago

Exactly. + if github would really ask me for consulting I'd consider working for free, just for a testimonial.

zaidf12y ago

I have a question for you! Roughly how many hours do you think you've spent looking for bugs on github before you found these stream of exploits?

homakov12y ago

0. I spent less than an hour last year because there was no proper motivation.

1 more reply

arnarbi12y ago

aidos12y ago

But also much riskier. What if it transpires that the $4000 isn't enough? We know roughly what they're paying now, so when people find an issue like this they know they could sell it for much more.

shawabawa312y ago

Of course, there's probably also a large chance that he finds nothing in those 8 hours

homakov12y ago

"nothing" never happened IRL. I either work extra for free trying to find more, and punch myself until I find something.

avenger12312y ago

Really great attitude.

I would make this your tagline in some way -

"I will find vulnerabilities. If I don't, I will become a vulnerability to my own body and attack myself until I do!"

1 more reply

fooqux12y ago

There are always n+1 bugs. I presume the same could be said for security holes- especially considering they are sometimes the result of bugs.

1 more reply

j / k navigate · click thread line to collapse