Hacker News new | past | comments | ask | show | jobs | submit login

Very few comapnies will pay for this type of exploit, even fewer will offer a thanks. It's easier to get them fixed this way.



The question is whether it's easier for the security researcher or the users. I don't think it's easier for the users if they end up being exploited for weeks while the vendor rushes to fix it.

If the vendor tries to delay you for months or ignores you, sure. But it doesn't even seem like he tested the exploit here to understand whether it was a serious threat.


They're not his users, and the company- who allowed these vulns. in the first place- isn't trying to pay him for his work; see Google, CCBill, Mozilla, ect.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: