undefined | Better HN

0 pointsunclebucknasty1y ago0 comments

No, they aren't obligated. So, if there's no bug bounty program in place, then they should either go to the beach or be willing to find bugs for the public good.

The idea that the company owes them anything for their unsolicited work is misguided. And, if they present the bugs for money under the implicit threat of selling the information to people who would harm the company, then it's extortion.

0 comments

depressedpanda1y ago

1. Companies are amoral entities, and given the opportunity have few qualms about screwing people over if they can profit from it. Why do you expect people to behave ethically towards entities that most likely won't treat them ethically?

2. If said person doesn't present the bug to the company, but just goes straight to selling it to the highest bidder it's not extortion. If the company does not provide the right incentives (via e.g. bug bounties), isn't it their own fault if they get pwnd? They clearly don't value security.

unclebucknastyOP1y ago

You seem to be saying it's essentially "justified extortion" and not immoral because you've adjudicated them guilty. We disagree.

Not to mention them getting "pwnd" creates a lot of collateral damage in the form of innocent customers.

imadr1y ago

I would agree with everything you said, If we ignore the fact that the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean for them.

Do you think it's reasonable to say the the ethics of what you call "extortion" should depend with how big the company is? I'm obviously not advocating for making a small company pay more than they can manage

unclebucknastyOP1y ago

>the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean

That framing is strange to me. If they want to offer a bug bounty, then they can. But, it's their choice. Maybe they'd instead rather engage a security firm of their own selection.

But, whatever the case, to say "they should pay the money because they can afford to" isn't right to me. I don't believe the definition of extortion changes based on how big the target is or whether it can afford to pay.

In fact, the line of thinking in some of the comments here is so far off from what seems obviously ethical to me that I've had to re-read a few times to ensure that I'm not missing something.

j / k navigate · click thread line to collapse

0 comments

depressedpanda1y ago

unclebucknastyOP1y ago

You seem to be saying it's essentially "justified extortion" and not immoral because you've adjudicated them guilty. We disagree.

Not to mention them getting "pwnd" creates a lot of collateral damage in the form of innocent customers.

imadr1y ago

I would agree with everything you said, If we ignore the fact that the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean for them.

unclebucknastyOP1y ago

>the company has billions of dollars in revenue and paying a bug bounty is a drop in the ocean

That framing is strange to me. If they want to offer a bug bounty, then they can. But, it's their choice. Maybe they'd instead rather engage a security firm of their own selection.

In fact, the line of thinking in some of the comments here is so far off from what seems obviously ethical to me that I've had to re-read a few times to ensure that I'm not missing something.

j / k navigate · click thread line to collapse