Thursday, June 29, 2017

Follow up to the vuln disclosure post

Summary of responses from this post:

I wanted to document/summarize some of the responses I received and some of the insights I gained via self observation and my interactions with others on the topic.

I received a few replies (less than I hoped for though). To summarize a few:

-I'm not a greedy bastard for thinking it would "be nice" to get paid for reporting a vuln but I should not expect them.

-Bug Bounty awards are appreciation for the work not a right.

-Someone made a nice analogy to losing AWS/Slack keys to losing a cell phone or cat.  Every person might value the return of that cat or phone differently.

-I'm super late to the game if I want to get on the "complain about bug bounties / compensation" train.  **I think this is not quite the same situation but I appreciate the comment**

-The bigger the company, the harder it is to issue an ad-hoc reward if they don't have an established process.

-They [the vulns] have value - just not monetary. The value is to the end-user.

-Generally speaking, I [the author of the comment] think quite a lot of the BB crowd have a self-entitled, bad attitude.

-Always ask yourself if this will hurt innocent people. If so, report it, but make sure the public knows that they f*cked it up.

This blog post reply:

I got a variety responses from it's the right thing to do... up to if they don't pay up, they don't get the info. Collectively,  I don't think we are any closer to an answer.

To get a bit more personal on the subject. I think this piece from Ferris Bueller's Day Off sums it up to an extent:

"The problem is with me"

I've been giving quite a bit of thought to what component of the process brings me the most excitement and enjoyment.  I believe I have identified what component brings me the most enjoyment and will focus on that piece and work to manage any expectations I place on others.

I very much appreciate everyone that engaged in the conversation with me.

More things to think about for sure :-)



Anonymous said...

No problem, thanks for asking :)

Not sure how old you are, CG, but having been around awhile, I find a little self-reflection now and then is a good thing.

Anonymous said...

As engineers we identify problems symptomatically, and push upwards in our root cause analysis. This method is problematic due to the indirection of cause and symptom for inter-systemic problems such as the interaction of market forces and cultural ideals. As a community, we want to fix the things, protect the public, and ensure that entities producing systems and components adhere to best practices for securing the problem domains they work in. In the market we look at value, and let's face it, there's always more value on the dark side in immediate monetary return terms. Bounty programs are the middle ground between doing harm and being broke (still between bad and bad). Until there is a legislated place for our work and at least a reasonable measure of compensation for doing the right thing, only those in a position to "give away money" can take the high road on a daily basis (in the luxury suv of choice). Its like military service - only those who believe that the ends of benefiting the community justify the means of personal loss who will walk that path, and since this issue affects civilian life, the numbers just aren't there to make the difference needed (yet).