Arthur T Knackerbracket has found the following story:
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
(Score: 0, Offtopic) by aristarchus on Tuesday April 07 2020, @07:58AM (9 children)
Six out of ten submissions in the Hold are aristarchus submissions. And the Eds pretend to be gathering for a merge, rather than silencing an original Soylentil? Oh, the Huge Manatee! Oh, Mores, and Tempora!. Sorry for the offtopic post, but no one is here anymore besides Runaway, and he is an uneducated redneck yellowbellied hillbilly Trump supporter, kind of a Trump jockstrap, that you use for a Covid19 Mask. That is, if you cannot get your hands on some of the cloroxoxycremequinine that Sean Innanity is selling. Pfft.
(Score: 0, Offtopic) by aristarchus on Tuesday April 07 2020, @09:38AM (3 children)
And, like wow! Instantly hidden, to die a grim death in the bowels of soylentnews. But there is hope. A slim flicker of the original commitment to free speech, not just to alt-right and racist and libertariantard speech, still burns at SoylentNews. I am aristarchus, and I am here to speak freely. I request you join me.
(Score: 3, Touché) by maxwell demon on Tuesday April 07 2020, @10:16AM (1 child)
Well, the code is open source, so you might just set up aristarchusnews.org as alternative site.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Insightful) by inertnet on Tuesday April 07 2020, @11:33AM
Make that aristarchuspoliticalnews.org
So people not particularly interested in politics, genders or skin colors don't need to go there.
(Score: -1, Flamebait) by Ethanol-fueled on Tuesday April 07 2020, @10:51AM
Niggers. Niggers hanging at the park because they won't believe what Whitey says. Now that is awesome. You must be a nigger to prepare yourself. Are you prepared to be a true nigger?
(Score: -1, Offtopic) by Anonymous Coward on Tuesday April 07 2020, @01:32PM
Wow, you sound like you have about as much of a victim complex as Trump.
(Score: 2) by jmichaelhudsondotnet on Tuesday April 07 2020, @02:03PM
I drove them away by pointing out there was no one here willing to say real shit, and that the major posters were clearly shills.
Better silence than a shill farm barking at each other.
But I noticed that too. Why care about a community and an idea when it is so easily subverted.
It is however nice to know I wont be censored, but if anyone believes what I am saying, and I believe they do, they are right to not post here with their real names.
It is too late for me, I can have no anonymity, I am committed to public interest work, and have been on the lists for 20 years getting f'd with, and to this very day.
The number of positively human responses I have received in the year I have ben posting here I can count on my fingers, and they have all been anons. Fusta demonstrated he can read my private email by mentioning a very specific old movie within 24 hours of the email I sent. He also demonstrated keen interest in a story from my high school days with a girlfriend that appeared and then disappeared out of my high school class. Real actual spooky stuff.
Being followed is not fun. Especially without money and when no one believes you.
check my new twitter, @decultification
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @05:27PM
Maybe this is a bug in the Soylent software. If you pay me some money, sort of like a bounty, I'll root it out.
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @10:30PM (1 child)
Seven of them are from this "upstart" guy. They must really hate him too.
(Score: 1, Offtopic) by aristarchus on Wednesday April 08 2020, @12:01AM
Only 2, now, versus 10 aristarchus subs. They hate upstart less, it seems.
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @09:08AM
They pay you money and you agree not to say anything about what you found? Seems obvious to me that they are buying your silence. Not to mention that their customer, i.e. the ones who pay the bills, are the companies who use them. Why would they possibly care about the bug finders being inconvenienced by a missed deadline or hold their customer's feet to the fire, when doing either of those, except in the most egregious circumstances, are just going to piss off their customers and cost them money?
(Score: 2) by maxwell demon on Tuesday April 07 2020, @10:19AM (11 children)
If person A discovers the bug and tells it to person B, then person B enters it to the bounty program and shares the bounty with person A, is person A bound to the NDA as well?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Immerman on Tuesday April 07 2020, @01:09PM (10 children)
I don't think there's any way for a contract (such as an NDA) to bind the actions of a third party that did not sign it.
They might put text in the bounty-claiming NDA/contract though that requires the discoverer to swear that they are the original discoverer, and that they haven't already told anyone else. So that no matter whether it's A or B that claims the bounty, if the payer catchers wind of the deceit they can charge the claimer with either fraud or breach of contract and presumably reclaim the bounty.
(Score: 3, Interesting) by Grishnakh on Tuesday April 07 2020, @01:33PM (6 children)
It sounds like what's needed is a general group for bug-bounty-seekers to join, and after a bug has been found, and after the bounty paid, and some time after that (180 days perhaps), the information on the bug is forwarded to another random bounty-seeker in the group, so they can then claim the bounty as well. This time lag should then be shortened each time it's forwarded to another seeker; eventually, the company is going to get tired of paying all these bounties for the exact same bug and fix it. And keeping the system so that it only forwards the info to seekers who don't know each other (this group would probably have hundreds to thousands of members) should create plausible deniability.
(Score: 2) by Immerman on Tuesday April 07 2020, @01:59PM (5 children)
I suppose that could work so long as the bug-finders don't mind committing fraud, and were actually in it to get the bug fixed, rather than for the money. But I suspect the freeloader problem would rapidly disenchant them. Especially since not only did they do all the work, they're taking the risk of having their bounty voided, and possible further legal action taken against them if the payer catches wind of their duplicity.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @04:49PM (4 children)
My whole idea with it was: how exactly is the company going to know that they were sharing the bug information? If you set up a system so the people sharing the information don't know each other directly (other than all being subscribed to a system with thousands of users), how is the company going to prove fraud? For sharing an exploit, there really isn't very much information needed usually. It's a little bit like trying to copyright a header file.
(Score: 2) by maxwell demon on Tuesday April 07 2020, @05:06PM (3 children)
By joining the system themselves and waiting until a bug gets passed on to them. This is then evidence that the previous bug reporter passed the bug on, and allows them to prosecute him.
Have enough undercover joiners, and you'll have a good chance of getting several of them, and scaring the rest away.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @06:18PM (2 children)
How do they know the previous bug reporter passed it on, instead of it being independently discovered?
(Score: 2) by maxwell demon on Tuesday April 07 2020, @07:41PM (1 child)
Because the receiver was the undercover agent, not the sender. If the previous bug reporter didn't pass it on, the undercover agent would not have gotten it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Wednesday April 08 2020, @02:21PM
Again, this doesn't prove that the first person to disclose to the company and receive the bounty is the same person passing it on. It's entirely possible for independent parties to discover the same vulnerability. All the discloser has to do is make sure his write-up on the bug-sharing system isn't written the same way (perhaps find a friend to rewrite it) and doesn't have any obvious details that make it unique.
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @11:23PM (2 children)
You can have contracts that do that. However, you have to meet very specific requirements to do so. The only situations where people normally run into those types of contracts are third-party beneficiary contracts (e.g. insurance contracts) and negotiable instruments (e.g. drafts).
(Score: 2) by Immerman on Wednesday April 08 2020, @01:46AM (1 child)
I don't believe those in any way bind the actions of the third part though. I can absolutely be the *beneficiary* of a contract between other people, and presumably even have certain obligations in order to claim that benefit. But I'm pretty certain a contract I didn't sign (or otherwise agree too - EULA's exist in a weird grey area of implied consent) can't legally obligate me to act (or not act) in any particular manner, it can only try to lure me into doing so.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @02:50AM
Sure they can. For example, I give you a N.I., which is a contract between myself and you that makes it such that a third-party, usually but not always a bank, has to pay you. Or I sign an agreement and use my house as collateral and then sell it, the buyer has to GTFO if the agreement is foreclosed on. Or I agree to mow my backyard weekly and not construct a fence in exchange for everyone else on my block agreeing to do the same so that way we can all use the common backyard area, which binds not only myself but everyone else who may own my property whether they know about the agreement or not. Or I duly delegate and assign a contract to another with proper notice, which binds the third parties to the respective contracts to act as though the agreements were originally between the two of them and cut me out.
(Score: 2) by looorg on Tuesday April 07 2020, @10:30AM
This is not really a surprise is it? That they pay for the bughunters not to say anything. After all that is cheaper then the class action lawsuit due to their massive software failures. That said I do wonder if this, the bug bounties, and competitions like pwn2own etc are not also some kind of catch mechanics. Bugs might be found but they don't get disclosed until the bounty is worth it, as in they find them but hold on to them until they are actually worth something or they believe that the risk is to great that someone else will have found it to.
(Score: 3, Interesting) by jmichaelhudsondotnet on Tuesday April 07 2020, @02:24PM (1 child)
If you want things that don't have a price, you have to have public interest people, and find a way to compensate them for their work.
I have written a literal ton of words here in the public interest, not a single .000001 btc for my efforts, and I am only called insane, nazi, etc etc etc.
People who are smart enough to know I am telling the truth are rightfully scared to be associated with me even by btc. I understand those people better than racebaiting shills and saarlacs like azumi. And psycho-semantic shadow trolls like "barbara hudson".
It is happening on twitter as we speak, "john michael" trended the day I made a new account.
And it is very much true that ecohackerfarm.org is a copshop entrapment setup, managed by an agent in an abusive psycho relationship with the owner of the property. Of course when she gets what she wants and invites more police here, she is so very happy. People who are not police, me, get called crazy for asking not to have 8 cell phones in operation at the diner table.
Otherwise it is very nice, but warn your friends all spaces like this that do not practice a very real security culture are just copshops.
@decultification but fml right, it is the end of reading, and maybe the end of people paying for books outside of the airport. And the end of common air travel, so....the 500 pages I self published this month and wrote over the last 2 years, plus everything I wrote here, and meme distribution, are effectively of 0 economic value despite 10,000+ page loads at my site every 2 weeks(not including google)
Really, I could never have imagined that not a single person would contribute to my work after this much. That is also maybe what people see when they come here, even someone who works his ass off and really contributes, gets nothing but shit.
Ill contribute while I can with my best ideas, but I will not be able to this rate for much longer, if you guys are so shitty and no one reads, then we should all move back into caves and start wearing leopard skins and believing skulls are gods, and throw everyone with an IQ over 90 into a flaming pit if they are not pro-zionism.
Well at least Jordan Peterson had to go to rehab and prove to everyone that his own ideas that he gets more than a mil a year for are completely ineffective even for his own self. That laugh right there was worth more money they every interaction here combined.
Excepting the many 5 rated things, that felt good of course.
But if everything has a price, the world is made of lies, and no one is safe, or someone has to start paying people and protecting people who are doing the work in the public interest. That there are so many rich people *not* doing this is enough evidence of their misvaluation of reality. The computer processor was not invented to shovel money up the power pyramid at a faster rate and identify every child at birth for lifelong tracking,
it was made to help humans think and communicate, or it was a complete waste of time so get out your leopardskins and stop trying to be smart at all whatsoever. At this rate that is what we will be forced to do anyway, and maybe this month, if any of the 15 competing rumor narratives turn out to be accurate. Not like any of us could verify aliens or a yellowstone eruption or meteor strike over the internet anyway.
Well, without public interest technologists that is. If that is not enough reason for any of you paycheck haulers to send me some coin or buy my books, so you know, you dont steal my work from me while you sit in your comfy chair in spookville or corporate towers. Maybe you don't understand the world at all outside of your javascript framework specialty, and so you should admit it.
Or fix the market with your lightning bolt. Or grow a pair and actually accuse me of being fake and not actually needing it, I welcome that scrutiny.
@decultification
https://leanpub.com/thebookoflongformremixmemes [leanpub.com] https://leanpub.com/mentalselfdefense
https://leanpub.com/expandeddefinitions [leanpub.com]
https://leanpub.com/fourparables [leanpub.com]
I admit I am not in the best of moods, working all the time while being poor, thrown out of places by anti-intellectual sociopathic government agents disguised as hippie mamas, while watching people who spew only garbage rake it in lying to people about virus and meteor news, just sucks, I hope you can understand.
But can you?
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @04:03PM
Ummm I don't get the joke...?
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @03:33PM (3 children)
well this is not good.
not sure how i can get upset.
the conclusion would be that "software code" just isn't considered in the same class as "food safety", "transport safety" (like cars and airplanes), "energy safety", "medicine safety", etc. but more in a class of western gung-ho let's make money nevermind coboy attitude, eh?
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @04:08PM (2 children)
I know "anybody can do it" but seriously writing code is epically hard. Ever notice how most people eject themselves out of that role as soon as possible. I guess only young people can do it? No, very few people can do it period. The others go do something else so there's nobody there except noobs (young people) and a few old freaks like us on this site who actually don't mind it.
(Score: 3, Funny) by looorg on Tuesday April 07 2020, @04:20PM (1 child)
I dunno. I don't even like my own code half the time, and I am almost certain that I hate the code of almost everyone else. Almost everyone else use the wrong indentation, commenting and syntax and their solutions tend to be asinine.
(Score: 2) by krishnoid on Tuesday April 07 2020, @08:08PM
Well, software code is like an opinion, which is like ...
(Score: 2) by darkfeline on Tuesday April 07 2020, @08:20PM (3 children)
Usually, vulnerabilities are sold on the black market for profit.
This is just the companies buying the vulnerabilities, giving the finder a legal/more ethical way to sell their wares. Part of that business transaction is the finder not selling/giving the vulnerability to anyone else.
If you want the vulnerabilities to be public, then you can buy them instead and release them publicly.
Join the SDF Public Access UNIX System today!
(Score: 2) by Immerman on Wednesday April 08 2020, @01:53AM (2 children)
I've got to wonder though - what keeps an unethical bug finder from claiming the bounty *and* selling it on the black market? It's not like a the black market customer is going to advertise their purchase, and a little delay and use of a decent anonymizing system would make it very difficult for any but the largest companies to confirm that it was the same bug finder, even if they were also the black-market buyer.
(Score: 0) by Anonymous Coward on Wednesday April 08 2020, @10:49AM (1 child)
Self-identification. By selling the same exploit (a piece of code) twice, one can deduce it's the same entity doing monkey business and then its probably against the bounty agreement T&C and they rob you via court or at least force you to waste time and money "defending" one self. It can probably be done, but whoever uses the exploit after it has been burned, is not going to appreciate your service.
So no, its a bad idea both concerning legal-ish buyers and the more "brotherhood of thieves" types. Because those other guys aren't going to court with you, they just gonna shoot you for your achievement.
I believe one shouldn't bother with bug bounties, too little money, too much exposure to a very wrong kind of people in uniform.
(Score: 2) by Osamabobama on Wednesday April 08 2020, @02:06PM
What if I buy a bug on the black market and then submit it to the bug bounty program? Is that typically a money-losing proposition? I'm assuming retail bugs have a low enough price that it can be sold more than once.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1, Informative) by Anonymous Coward on Tuesday April 07 2020, @09:17PM
... you dance to the devil's tune.