undefined | Better HN

0 pointsgeofft5y ago0 comments

If you haven't had food in a few days, there are many better ways to get food on the table than trying to find exploitable vulnerabilities and sell them for tens of thousands of dollars, including

- Work on a bounty program that rewards mitigations instead of exploits (e.g., https://www.google.com/about/appsecurity/patch-rewards/). Those are much more deterministic. (But there's no black market for them.)

- Get a conventional job (possibly in software, possibly not), which pays you on a schedule.

I get the argument you're making about money, but I'm having trouble believing that going after bug bounties ever makes sense to someone in that situation, given how non-deterministic it is to find a bug.

Also (as this bug shows), it typically takes a long time between reporting a bug and having the responding team decide that it merits a bounty. In this case it took a month. (And then there's logistics about actually getting you the money at that point.) Are people who haven't eaten for a few days really going to be happy not eating for another month, even if they get a hundred thousand dollars then?

0 comments

krageon5y ago

Are you seriously telling people who are starving to "get a [conventional or not] job"? I'm struggling to understand your point of view, this is almost a caricature.

j / k navigate · click thread line to collapse

0 pointsgeofft5y ago0 comments

If you haven't had food in a few days, there are many better ways to get food on the table than trying to find exploitable vulnerabilities and sell them for tens of thousands of dollars, including

- Get a conventional job (possibly in software, possibly not), which pays you on a schedule.