TechEcho

dopameanalmost 9 years ago

The circle jerk discussion about the rewards paid out by bug bounties on this site is getting ridiculous. It has been talked about ad nauseum and it seems that most people crying that the reward isn't high enough because "you could make so much more on the black market" don't actually know anything about how vulnerabilities are monetized on the black market.

评论 #12126551 未加载

评论 #12126801 未加载

评论 #12126242 未加载

评论 #12126738 未加载

评论 #12127590 未加载

daraosnalmost 9 years ago

I think $5,000 is a joke, this is a serious vulnerability... Despite this, congratulations for finding it and reporting directly to them, the right way. If it's possible to know, how many hours did you spend researching this?

评论 #12126104 未加载

评论 #12126041 未加载

评论 #12126328 未加载

评论 #12127565 未加载

评论 #12125977 未加载

评论 #12125979 未加载

a_imhoalmost 9 years ago

The black market is a false dichotomy. Either you need the money for your work, then negotiate a reasonable price, or you don't, then disclosing it for free might actually helps someone not to be lowballed by BigCo the next time.<p>There really should be a bug marketplace, instead of one side having all the power and paying pennies.

评论 #12128921 未加载

evoltixalmost 9 years ago

Out of curiosity, was there any particular reason why you decided to write a blog post about this vulnerability 5 months after the bug was fixed?

评论 #12126491 未加载

cloudjackeralmost 9 years ago

so you got paid $5,000 ? How long since the first report did it take for that to reach your bank account?

评论 #12125921 未加载

spoownalmost 9 years ago

Well done, i hope you made some €€€ on it...

Stealing Facebook access_tokens using CSRF in device login flow

6 comments

Stealing Facebook access_tokens using CSRF in device login flow

6 comments