I not only appreciate what they are trying to do moving forward, but also the entirely good natured, reasonable tone of the whole message. He explains without getting defensive and, in my opinion, helps Yahoo come out of this with a potential PR win. Well done.
After reading the first sentence of the post, I paused and tried to imagine what would come next. I had three guesses:
1) A clean, unconditional apology, like: "I screwed up, I'm going to fix it". I had very little hope since people don't often admit this type of things.
2) A defensive apology (that is, not really an apology): "Yeah I kinda screwed up a tiny little bit, but really it wasn't my fault, the predecessors..."
3) A smart-ass offensive strategy: "aha, you don't get it, our t-shirts are really cool, you should be happy that we even offer gifts and recognitions, you ungrateful bastards"
My ideal answer would have been 1) of course. Turns out, he exceeded my expectations (I'm the cynical jerk, here). He was a good guy in the story, explained the situation without fake apologies, or anything. Great answer.
Word count for "sorry" or "apologize" in that article: 0.
That is PR jiu-jitsu. Make everyone feel good, make yourself look good and don't even use the word "sorry". Of course, it helps that you were "in the right" to begin with, but deftly handled, nevertheless...
Hm. Now that I think about it, both of those words are actually really bad for being used in a sincere apology. The salient points of an apology are (1) "I own this action, and this action was wrong and I understand why" and (2) "These are my actions in response and in recompense".
Neither of those call for saying, "I'm sorry" or "I apologize" and saying either seems to detract a bit. I could be wrong? It's interesting to think about.
This is one of those situations where, since you're responding to a question, the "This." format of answer makes your comment unclear. Just FYI - it sounds like you're listing the things he should be apologizing for (although that's not the case given context, obviously).
Agreed on exceeding expectations! I wasn't self-aware enough to parse my expectations the way you have, but I was very cynical when I clicked through and very pleasantly surprised.
He has a well balanced head on his shoulders.
He should be in PR !
It's striking when you can tell whether an answer is honest/no-nonsense. And not even an overdone apology can beat an honest-to-goodness straight forward answer.
And then yesterday morning “t-shirt-gate” hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks?
Guy tries to do something nice and gets a big slap on the face. I can imagine this reaction from those outside of Yahoo wanting big rewards for their discoveries, sad to hear it was coming from internal as well.
Agreed, this is an excellent apology. No "sorry if you were upset" conditional apologies here, just a straight up "here is where we dropped the ball, and here is what we have fixed so it doesn't happen again; we're sorry".
Agreed; hopefully the people who got upset will get some clarity from this and everyone will come out ahead.
Personally, I think it's ridiculous that this was blown so far out of proportion, all because someone went above and beyond with his own resources trying to thank reporters. But then I don't have both sides of the story and, frankly, I'm not going to go looking for internet anger to figure it out.
If you say "what they are trying to do", we understand that this process will take place as time progresses. It's implied in the verb tense, that's why verb tenses exist. So "moving forward" never adds any meaning when used in its current corporate-speak fashion. Hackers should respect language.
I appreciate the tip, but you don't need to justify yourself with "hackers should respect language." Especially as that might imply that you think I don't, before giving me the opportunity to acknowledge the note. Thanks for the copy check :)
(Note, I technically work for Yahoo - but this is all personal opinion)
Great on Yahoo for putting a reward program in place, but when did everyone become so entitled to getting something for reporting a bug/security concern.
If you stumble on to an issue, and you are a good person, submit the report. If you are looking to make a living off of finding bugs, go directly to the companies that actually have a reward program in place. Don't be mad when you get a thank you gift that wasn't what you expected. Don't get mad at your security report not meeting guidelines.
It's not that I disagree with your opinion; if I found a bug and I reported, all I'd really want to know is that they were taking it seriously. So a personal note would be great. And I love that this guy was, in the midst of dysfunction, just buying the t-shirts and sending them out because it was The Right Thing.
However, it is a little much for a for-profit, publicly traded company with $4 billion in annual revenue (mostly made from manipulating how their users spend money) to think that other people should do things for them for free.
I certainly miss the long-ago days when the Internet was an academic community, mainly free of commercial influence. And I love it when people rise above base commercial motives to do something more beautiful. But if we line people up based on their right to complain that the Internet is all crass and money-oriented these days, Yahoo, who led the first wave of Internet commercialization, surely must be near the back.
> However, it is a little much for a for-profit, publicly traded company with $4 billion in annual revenue (mostly made from manipulating how their users spend money) to think that other people should do things for them for free.
I'm not sure I understand this. Yahoo! did not have a bounty program that paid out money so if you were submitting a vulnerability you found it would be a little ridiculous to expect any remuneration.
My point here is that a for-profit company shouldn't expect random people to do nice things for free. Sometimes they do and that's great. But they shouldn't expect it.
The post I was replying to comes from a "let's all help each other out" perspective, which I like and is the mode I want everybody to be in. But the last people who should be pushing that line are those who are making billions of dollars. Especially so when those people are the ones who led the first wave of commercializing the internet.
It comes across to me as something like, "Hey, let's all work together so I can line my pockets."
I think the message he was portraying more is of the annoyance with someone showing up with a vulnerability and demanding a reward. The same way you might view someone mowing your lawn without your permission and then getting angry when you didn't pay enough for it.
This has nothing to do with Yahoo - this has to do with every time there is someone complaining about them not receiving the bounty they wanted - and in this case about getting a t-shirt as a thank you. I am happy Yahoo is putting a reward program in to place - but the general commentary from the community annoys me.
It's simple pragmatism. I'd expect that HN, of all places, would get this. (And most seem to.)
You are a security "researcher". Maybe that means you work with a group of bona-fide professionals, maybe that means you're still in high school.
Either way, you have the capability to break things. But, breaking things isn't trivial; you don't expect to spend a few minutes "poking around" and come up with something, especially something interesting.
So you have some choices. You can: try to break things which will give you rewards proportional to the time you spent and the severity of what you find; try to break things which will give you almost no official reward at all; or try to break things and then sell the solution to the highest bidder or make use of it yourself. (Let's assume that people aren't generally in the habit of working for free.)
Now then. You're Yahoo, with millions of user accounts and a not-great track record for security. What would you prefer for the hacker to do, and how would you incentivize them to do it?
You can gripe about "the community" or "entitlement" all you want -- until it becomes sufficiently annoying or unproductive -- but that won't change the end result, which is that companies which give substantial rewards for bug bounties are creating a marketplace where they win by getting lots of good talent to examine their systems without paying by the hour or day for it and the company gets first dibs on the details of the bug.
People lose. As in, real flesh and blood people. Everyone seems to think, "Ah, they'll just sell it to the highest bidder." You know what, screw that belief, and screw those people who think that way. You do that, you become evil. End of story. Should it be the company's job to ensure this doesn't happen as best as possible? Yes. Does the lack of a reward justify the demonstrably evil behavior of selling vulnerabilities? No. Sick and tired of the idea it's ok to sell a vulnerability wherever the money is. When is the computing community going to step up and put an end to morally wrong behavior like this? We need to ostracize those people, not condone and justify such behavior.
it's a bit more complicated than that, though - it's not that the same people who would have found and reported vulnerabilities to yahoo if they were properly incentivised will instead turn around and sell them to the highest bidder. the black-hats will always get a higher reward from other criminals than they will from the companies; the point is that if you can also get a white-hat to report stuff to you, you can perhaps fix it before the criminals exploit it.
in the absence of incentives, the danger is that the white-hats will simply not bother with you. and yes, people lose, but you cannot really lay a moral responsibility on people to help a profit-making company out for free just because if they don't other people might get hurt.
Sick and tired of the idea it's ok to sell a vulnerability wherever the money is.
The idea that money always overrules morals is a deep and pervasive belief in the business culture of this country. The vuln market is no exception and is a symptom, not a cause.
When is the computing community going to step up and put an end to morally wrong behavior like this?
About the same time any other industry puts an end to the morally wrong behavior they engage in (read: never).
Or, to push the same buttons as above but in another direction: when did everyone become so entitled to getting exclusive access to a bug/security report about them instead of competing for it in the market like anyone else?
I agree. I think the problem is conflating the dark grey market[1] values of vulnerabilities with their white market values.
Reportedly there is a lot of money in the security vulnerability dark grey market at this particular moment in time, and that seems to be pushing up the perceived monetary value of these vulnerabilities.
But if you think about it, it would feel an awful lot like extortion for a researcher who's found a vulnerability to allude to the grey market value of a vulnerability in a responsible disclosure discussion. This is kind of what the community is doing by consistently bringing that point up in regards to rewards for such responsible disclosures.
At the end of the day, if the researcher is virtuous, then the black/grey market value of the vulnerability is irrelevant, and so acknowledgement of the issue, followed by rapid action to close the vulnerability, and optionally, a token of appreciation is plenty of reward for the disclosure from a moral point of view.
Now, I'm not naive. I believe that people respond to incentives and when you're talking about incentives, then the black/grey market values do come into the calculation. But that's a purely amoral and pragmatic optimization problem, and therefore not a proper object for the moralizing that we've seen regarding these programs.
I don't have any particular issues with pontificating about how a particular company could be more effective if it increased its bug bounty rates[2], but any pseudo-moral outrage is hollow because it's founded on the assumption that moral and immoral disclosure are relatively equivalent options.
[1] That is, it's not always technically illegal, but I think that the market is fairly universally regarded as antisocial if not a major threat of the day.
[2] Though it would be very difficult for a company outsider to actually accurately determine the value of responsible disclosures to a company. There are a whole lot of vulnerabilities in complex software, and really, any particular disclosure is essentially worthless. I would imagine that the real monetary value of a given disclosure is orders of magnitude less valuable to the vulnerable company than it would be to a potential attacker. For the vulnerable company, they still have a vulnerable product after fixing the particular vulnerability, but for the attacker, they have a successful attack vector by having knowledge of the particular open vulnerability. Also, I can't imagine that the value of a particular vulnerability is proportional to the company's revenue/valuation/etc. which is the metric that seems to always be trotted out when talking about how a particular company's reward program is not generous enough, especially with regards to "billion dollar companies"
It sure seems like it to me. However, considering the climate of business ethics in this country, it's no surprise that businesses themselves would be treated poorly by customers/individuals. Businesses these days mostly seem to sacrifice all for the bottom line. If something has negative affects (to customers, the environment, their employees, etc.) they run the actuary tables and the most profitable solution wins. It's tit-for-tat.
Ransom / hostage-taking is when you take something that doesn't belong to you.
This action is taking something that you created (important, unique data) and offering it for auction instead of gifting it to the place where it would benefit everyone.
Similar to finding nudes of your neighbor laying in their driveway. Sure, you could let them know and hope for a reward, or you could put it up for auction, which is totally not exploitative. /s
Yahoo is neither my neighbor, peer or equal. There are very different social expectations when doing 'business' with your neighbor versus doing business with a corporate entity. Also, losing photos is a very different than distributing a partly defective product - you're generally not morally at fault for accidentally losing your own stuff, but you are fully responsible for accidentally manufacturing and distributing defective products.
An appropriate non-IT analogy would be noticing a particular simple way how a Bigcorp chainsaw could be made safer, fixing a risk of hurting the user - you could just let them know "hey, do X and all your chainsaws will be safer for all of us" and get nice fuzzies, or offer to sell them (or other chainsaw manufacturers) the discovery - it's your choice, and although one is much more charitable, both choices are acceptable.
>Great on Yahoo for putting a reward program in place, but when did everyone become so entitled to getting something for reporting a bug/security concern.
For better or for worse, cyber criminals started paying black hats for exclusive access to vulnerabilities, and now "good guys" such as the NSA and the FBI are paying grey hats for exclusive access to vulnerabilities. At this point, if you are a security researcher, if you voluntarily disclose a vulnerability you find to a company like Yahoo or Microsoft, even with the fairly generous rewards getting paid out, it's likely they will be taking a monetary hit compared to what an organization like the NSA would be willing to pay.
Fortunately, there are still people who have enough of a conscience that they still care about doing the right thing, as opposed to optimizing for their monetary return (and if you are selling to the government agency like the NSA, you are automatically on the side of the angels, right?). But if you are looking for someone to blame, I'd nominate organizations like the NSA and the cyber-criminals. That's not particularly constructive, though --- the world is the way it is now, and it's unlikely to be something that can be changed back to the "Good Old Days" (which, for the record, was never really all that Good).
Twilio, either formally or informally, sent me a t-shirt twice when I found a bug. For me as a programmer, a bug on the 3rd party partner side generally means I spent some amount of my time figuring out that the bug wasn't something I was generating, but rather my vendor. Programmer time has a pretty real value to it, which no one likes wasting.
When I reported the bug and the support person offered to send me a t-shirt, I forgot about the time I spent on the bug and went "Neat! A t-shirt!". Now, when I look at the t-shirt, I couldn't tell you the specifics on the troubleshooting or how it ruined my afternoon 10 months ago. But, I can tell you that it felt like the vendor actually responded to my concerns. Some vendors haven't, and then I do the natural thing and spew vitriol about them across the internet and to my colleagues.
If I didn't like a vendor and they were replaceable, the second that I hit a bug that I felt the need to report, I would just not use that vendor anymore. Anyone who files a bug report has some amount of loyalty to a company that is not worth upsetting.
I've submitted a number of bugs to different tools and sites, and in the vast majority of cases the company involved have promptly got back to me, have thanked me for my time, and have informed me of the status of the bug.
In the rare instances where my report is ignored, and any attempts to report to a developer (easily found on Twitter) are ignored, I tend to just forget about it. I assume that it gets read, and that eventually it gets fixed. That being said, when you've found a software bug, especially a large bug, the teams treatment of the bug reflects your opinion of the entire company. I noticed that one large website was pushing new registered passwords around in plain text, and I reported this. Six months later, the bug still exists. My opinion of the holding company (which runs a number of popular sites) has dropped significantly.
I think most developers are just happy to be thanked, and are hopeful that their report will be taken seriously and fixed as a priority. Gifts are nice, but a fixed bug and a genuine thanks from a real person at that company are much better.
I don't think it is entitlement. We live in a value for value world. Bringing to light a problem that can cost the company millions of dollars is worth something. No one was bitching (at least not loudly) about Yahoo not having a bounty program, the reaction was that if they only want to shell out $15 then they're cheap (not recognizing value).
Sorry, but I don't get this mindset. It would have been better to give them nothing rather than a "cheap" gift?
If you want to get paid market rate for the value you provide as a security researcher, then stop doing work on spec and just hoping that someone compensates you for it.
> It would have been better to give them nothing rather than a "cheap" gift?
YES!
There seem to be two camps here, neither of which can even fathom the other's position.
On your side, we have people who do a purely logical comparison that non-zero is greater than zero, so this is better.
On my side, we have people who inherently separate tasks done for free for fun or just to be nice, from tasks done for money. For these people, getting paid a pittance is a grave insult, while not getting paid at all (when nothing is owed) is just fine.
I don't really know how to explain it any further. I think the people in your camp just need to understand that the other camp exists and contains a lot of people, and that regardless of logic, giving someone a $12.50 gift card is a massive insult, far worse than giving them nothing. You don't have to understand why, but you have to know that this is how it is for a lot of people.
You are right there are two views, but they are reconcilable.
I think the problem mostly lies in conflating "token of gratitude" with "gratitude". The token is a cheap thing, and has some small monetary value. The gratitude itself is a much more valuable thing, for both the giver and the receiver. Reporters are motivated by doing the right thing, and perhaps getting some recognition for their contribution. The recognition has two parts: recognizing cleverness (you caught something others missed), and recognizing honor (doing the "right thing", reporting it to the affected party rather than exploiting it yourself).
You can't put a price on cleverness and honor. And if you try to, and you come up with $12.50, then you're an idiot. The only thing you can do is recognize it, and show gratitude for the help.
What the OP tried to do was show gratitude and recognition with a token, and some recipients confused the token for the gratitude. It doesn't sound to me like the giver was confused! E.g. he wasn't saying "Here, let me pay you for your time, eliminating the need for us to recognize your cleverness and honor for the cost of a T-shirt." Now you might say that the token was poorly chosen: there is a reason people invented trophies, items that are totally worthless other than as tokens of accomplishment. It's because the recipient will NEVER confuse a trophy for the price of the accomplishment behind it.
Personally, I think a cool little useless trophy would have worked better, and certainly no gift certificates! Being named and honored somewhere on the Yahoo website would be great. Giving a small cash prize, like $1000, would be a classy move.
The bottom-line remains: there was nothing fundamentally wrong with the T-shirt-as-trophy, apart from the (apparent) risk of recipients confusing it for T-shirt-as-payment.
I think you're absolutely right. There's nothing fundamentally wrong with giving a t-shirt, or even a gift card for a t-shirt, if it's properly communicated. But it has to explicitly be something like, "Thanks so much for this. I'm terribly sorry that we can't give you a proper reward, much though I'd like to. As a small token of my appreciation, I hope you'll accept a t-shirt as my way of saying thanks. Since I don't know your size, here's a gift card you can use to obtain whatever size and style you prefer." If it had been done like this, I think it would have gone over fine. There might be some grumbling about how a large company "should" have a bug bounty program, but not the sort of attitude we've seen.
As best I can tell, the gift card was offered without comment. And while the intentions were good, the lack of such a message meant that it was taken badly.
I guess the lesson is, if you're offering only a token of appreciation, make sure the recipient knows you know it's only a token.
I wish a sociologist or anthropologist would comment and explain formally what this is but I'm thinking it is something along the lines of a thank you or appreciation not being quantifiable. Where as putting money (or something quantifiable) on the table communicates some sort of value.
Yeah, I'd like a better explanation myself. I feel it, but I can't really explain why.
It seems like there are just two distinct modes. When you do something for free, you're basically doing a favor, and you get pleasure from being altruistic. Once you get paid, it's now an exchange of value, not altruism, so you only get pleasure from being paid. If the pay is small, you'll feel upset because your end of the bargain is based entirely on that, while if you're doing it for free, you switch over.
I'm not a sociologist, but I've had a longstanding interest in the origin of manners, so I've read a bit on this. The problem here is that putting a number on something invites comparisons. We almost can't help comparing numbers. If my friend gets a number and I get a "You are awesome! Thank you so much!" I can't easily compare those because they are unlike each other. But when my friend gets a 500 and I get a 12.5, it is obvious to everyone that the number I got is so much lower, it's embarrassing. That guy's number is way bigger than mine.
Basically, no monetary reward is necessarily expected here. But once you give one, it is a faux pas to give one that looks small in comparison to what is considered the "norm." We even have common insults reflecting this fact, where bragging about something I impressive will invite comments like, "Wow, here is a shiny nickel." The impromptu offer of a clearly paltry reward is understood as a slight.
If nothing is given, you assume the first party is indicating that their thanks/recognition is enough.
If something is given, then they are acknowledging that their thanks/recognition is not enough, but that $x monetary value makes up the difference.
Some people take it as an insult that if thanks isn't enough, they can be 'bought' for $x, where $x is $12.50, or whatever. The reasoning is basically that if you are saying the time taken to reproduce and report the issue is important enough to compensate, you should probably compensate commensurate with what they would expect to make for their time/expertise.
I think most people who report these things do so because they want to improve things, not for the money, so most probably fall into the first camp, but I can understand where the second camp is coming from.
No, I get what you're saying. But they originally DID do this task for free. The work they did was already done regardless of what Yahoo did with their report next. If they were expecting or counting on a charity gift from Yahoo, that seems like a mistake.
They didn't necessarily pick that, though. When you submit a vulnerability to a company that doesn't have such a program in place, it is their choice as to whether that falls into the "free" or "paid" category.
Yahoo's reaction put it into the "paid" category, and then paid an insultingly low amount. That was their error. A different reaction, even just different wording when sending the gift card, could have put it into the "free" category.
You can see it as an insultingly low payment or as a bigger than usual thank you. If you expected nothing, the shirt is a pretty decent thank you. If you expected to be paid, the shirt is an insult. Clearly the people who bitched about the shirt expected to get paid. So they had already put their work in the "paid" category and then complained when the pay was low. It sounds like a lot of other people didn't expect anything and put their work in the "free" category and were (at least a little) pleased to get an unexpected thank you.
You are misunderstanding things. It used to just be an actual t-shirt. But people who already had a t-shirt said they didn't need another one. So an equivalent amount of store credit was given to get something other than a t-shirt. I guess he could have just offered for them to pick from a few different schwag items. Any physical item as a thank you is going to have some sort of dollar value... but I still don't think that automatically puts it into the paid category.
There's a big discussion of this in the book "Predictably Irrational", chapter 4: "Why we are happy to do things, but not when we are paid to do them". It explains that there are two worlds: The first is "social norms", which is community based. This is where you have friends over for dinner, help someone move a couch, and other friendly things. The other world is "market norms", where things are transaction based with something exchanged for something of equal value (normally, but not always money).
The problem is when the worlds of social norms and market norms cross. The book gives the example of Thanksgiving dinner, and what would happen if you offered your mother-in-law a couple hundred dollars to pay for the meal at the end. Another example is sex: paying for sex makes it a very different situation. (Also note the difference between giving someone flowers on a date and giving someone cash.)
The book describes a research experiment, where participants were paid $5, 50 cents, or nothing to perform a short task of sorting shapes. The people paid $5 sorted 50% more shapes than the people paid less (since they were more motivated), but the people paid nothing did the most of all since they were motivated by helping out the researchers.
This ties in with intrinsic vs extrinsic motivation - if you're getting paid, it's extrinsic motivation, and then you're motivated by whether you're getting your money's worth.
(There's a lot more, but I don't have time to get into it, so check out the book.)
The point is, that if people report bugs for free, it's part of the social norms world, where they are keeping the world safe, making it a better place, etc. If they are getting paid, it's part of the market norms world, and they expect to get paid what the bug is worth. With Yahoo, the lines got crossed: giving a T-shirt is generally part of the social norms world, but giving a $12 gift certificate crosses over into the market norms world, and $12 is insultingly low. This is why it would have been better for Yahoo to give nothing.
Exactly. This guy accidentally crossed into market norms by doing something that seemed completely reasonable at the time.
Imagine you ask a friend over to help fix your car in exchange for beer. This would clearly not be interpreted as payment, but as a way of saying thanks. Now suppose it turns out they generally like beer but hate the particular kind you purchased, so you feel bad and give them $10 to buy themselves a beer they like. Suddenly, thinking you were doing something nice, you've crossed into market norms.
This, as far as I can tell, is basically what happened.
> It would have been better to give them nothing rather than a "cheap" gift?
Yes. Giving nothing doesn't give any indication of value - maybe the work is very highly valued but it's not Yahoo's policy to compensate. Fair enough.
Giving a cheap gift attaches a very particular value.
"rewards undermine the intrinsic motivation of volunteers."
"a large literature in social psychology [emphasizes] that external rewards can undermine the intrinsic motivation for an activity"
Probably related to the fact that the waitress can justify no tip with the thought "they might have forgotten to leave one". A short tip sends a message.
Which is a good point - as it gives illustration to mikeash's point in this same thread. This doesn’t make logical sense at all - but there are practices based on it.
And in this case both the "a token of our appreciation" and "short tip" practices could been "meant", and were as a matter of fact taken as "meant" by the sender and receiver respectively.
Oh hell, is it? Quite often I'm short on cash and just tip with the change I have - not tiny-denomination coins, I hasten to add, but 50ps/£1s. Bugger.
I was once at a busy bar. The guy in front of me, his order came to $9.75. He gave the bartender $10; she gave him a quarter back as she delivered the last of his drinks.
He tried to leave the $0.25 as a tip. She said, "Oh, no, you must need this," and gave it back to him. Her clear view was that no tip was better than $0.25. I congratulated her, and made up for his idiocy with my tip.
If you don't tip at all, you're either clueless or an asshole. Tipping a quarter is more insulting: you're acknowledging the need to tip, but making it clear you don't think much of the bartender.
I would think he avoided the concept of paying them by giving a gift instead, which sidesteps the concept of "pay" the same way an honorarium[1] would.
I was at a company where someone reported a security problem to the support team. I didn't quite believe it, but they got me on the phone, and within 10 seconds the guy had said the right words to tell me he had found something. So we fixed it.
What then? The company had no formal bounty system in place. I said we should send him something, so I got him an Amazon gift card and sent it to him along with a letter of thanks.
He said thank you back to us.
It all seemed good, but maybe it was just luck of the draw that an Internet mob didn't show up for me the next day.
Yahoo is free to do whatever they want. I think that's obvious. My opinion from the sidelines reflects what I think it looks like. Certain things become the norm, for e.g. someone finds $100K and returns it, the norm is to pay them a nice reward for doing so. There is absolutely no agreement or law in place that says they have to get anything in return. In fact, neither I nor most people I know expect anything in return for doing the right thing. What would your reaction be if the finder received nothing?
Just in case you want to know where I stand: if I find $100K in cash and there is no way to trace it back to me I'm not returning it. However, that is different to finding a bug and selling it for monetary gain.
Yet there have been dozens upon dozens of threads in this same forum of people making up all kinds of explanations of why they don't want to pay $15 for a music cd they will listen to possibly dozens of times over their lifetime. Ironic...
Exactly. When that comment came from a Yahoo employee I caught a glimpse of what I think the company's attitude towards security is. To me it seemed like there was no understanding that by not taking care of the little things that are lurking in the dark it can cost the company big time. Yes, I know this is an employee's personal opinion, but still...
Kind of an unfair statement imho. I work for Tumblr, and we run independently still. That being said, a companies policy does not reflect every employee, especially when you have a company that employees over 11k people.
I think it's great they are making a policy change, and making it retroactive even. My opinion is facing the community and the perceived entitlement people have at getting something for reporting a bug. I applaud those that have policies in place, but the community is shining a bad light on itself with the outrage.
It's amazing how every time Yahoo is in the news, I end up that much more grateful to have rejected their job offer.
Every act an employee takes and every word they speak while on the job is directly attributable to their employer. No exceptions, no excuses, ever. It doesn't matter if it was against policy, and it doesn't matter how many employees there are. The company must take responsibility. It reflects extremely poorly on the corporate culture of Yahoo and Tumblr that you don't recognize that.
We have different opinions and different values. I value my right to speak freely and not in representation of my employer. I wouldn't judge your employer for your words, hobbies, extracurricular activities - they are not a representation of you, nor are you a representation on them. If you feel otherwise, that's your right to do so - I hope that the corporate culture that you found suits you better then the one that works for me.
> I value my right to speak freely and not in representation of my employer.
You fail to understand two things. The first is that you have no such "right". You are speaking as a representative of your employer when others perceive you to be. What you or your employer think is irrelevant.
The second is that this isn't about you. Whether you must take responsibility internally is up to your employer. But whether your employer must take responsibility in public is not. It has nothing to do with your "rights". You don't have a say in the matter.
Because an employee feels that a lot of people have an entitled view towards security payouts as opposed to just reporting them because its the right thing to do...this means that that Yahoo has a bad attitude towards security?
I felt like if there is a company culture where everyone understands that security vulnerabilities can be costly then there wouldn't even be a discussion about security researchers being entitled, there would be a good bug bounty program in place from the get go. Maybe my logic is flawed but to me no bug bounty program says we really don't care enough about this and it's not a big priority, we'll just let/hope people do the right thing and report problems because that's how big internet companies do things in 2013.
That's how I see things from the outside, I don't have any inside information and it could very well turn out they have most of their staff working on software testing and security.
You did read that right? Knuth doesn't send real checks anymore due to check fraud. So the actual thing you get is comparable to a t-shirt (admittedly a very limited edition t-shirt).
I did. The question was 'when did everyone become so entitled to getting something for reporting a bug' to which I provided a valid (or at least humorous) possible answer, i.e. since Knuth's reward checks became a status symbol.
Money is how we keep score and literally show each other what we value. I think there is a threshold amount that demonstrates that they really care and I would define that as enough money for a date.
I found a vulnerability with a large regional service I use a couple of years ago and did the right thing by discreetly reporting it. They thanked me and gave me credit for their service equal to about $50; I felt like they really appreciated my report.
If they had given me swag they give away for free I would have been nonplussed.
If you report a bug to a company that has no posted bug-bounty policy, you really shouldn't be expecting anything but a "thank you". If you don't get a thank you, then you have a right to be nonplussed. Anything beyond a thank you (cash, T-shirts, warm hugs) is pure gravy and, IMHO, ought to be appreciated as such.
That said, yes, big companies really ought to have official bug bounties. But that doesn't mean you have a right to expect them.
There’s a market rate for vulnerabilities in highly trafficked websites. If you want people to give you the bug report instead of selling it to zero-day gangs or governments then you need to pay the market rate. You can expect a small discount because selling the bug to you is ‘doing the right thing’, but if you’re not paying more than a tee and you want to attract the people that go out of their way to discover issues then you’re automatically on the back foot.
Roughly similar to a guy that walks through your neighborhood jiggling door knobs and asks for $100/house when he discovers an unlocked door or disabled alarm system otherwise he will report it to his burglar friends.
Not at all similar to that. Ignoring the fact that the characteristics of residences and a very high traffic website with an enormous user-base are vastly different, your argument relies on the discoverer of the vulnerability choosing one of two paths: get paid by the company or get paid by nefarious people.
A third option is to choose neither because the discoverer doesn't think it warrants his or her time to report it. Reporting a security vulnerability requires more than just sending an email. Meanwhile, others who have discovered the same vulnerability may be selling access to it and a company like Yahoo has no idea until severe damage has been done.
Assuming they spent effort to discover the vulnerability the idea that there is a 3rd option where it is suddenly not worth their time to report it makes little sense.
Because taking a job with Yahoo! did not involve signing away his rights to his own opinions, or the ability to discuss them with others without hiding his employment relationship. Which is a good thing.
You say, "go directly to the companies that actually have a reward program in place" while Ramses says, "when you work for a company that serves more than 800 million people every month, you take network and user security very seriously." Ramses would probably prefer you not to discourage vulnerability reporting in the way that you have. But more importantly, his tone is entirely different. He doesn't mention the term "entitled" once, and he doesn't imply that the original report was somehow deficient.
I said "If you are looking to make a living off of finding bugs, go directly to the companies that actually have a reward program in place." which is a little different. I encourage reporting bugs at any capacity. If your motives are aligned differently, then why would someone get mad at not receiving what they think they should be getting? My tone is different because I am expressing my opinion on how there seems to be a sense of entitlement out there lately - at least that is how I perceive it. I don't want to discourage the reporting aspect, I want to discourage the way people are behaving when their bug report doesn't meet certain standards, or where even a thank you rubs them the wrong way.
You're absolutely right. That's why I would never use Yahoo for anything important of mine. Having such an incentive in place is a crucial measure in today's security climate.
Paying bounties in this way is in my mind comparable to tipping in restaurants. It's a compromise that doesn't really solve the stated problem, but it's adequate enough to allow business to move forward until the status-quo evolves.
Ideally in a restaurant, we'd pay servers real wages. Well the market won't bear that. So we have this tipping system set up. It's by no means ideal, but it works well enough and eventually, tipless restaurants will bowl everyone over with how much better they are and we'll just move in that direction.
Security research needs to be paid. There's too much on the line to just leave this work to unpaid volunteers. But a real security department, for many reasons, is simply unfeasible. Real security has to audit everything. Too much manpower is needed. Bug bounties allow websites to get the security updates they need while compensating researchers somewhat adequately.
It's not entitlement to believe that you should get an appropriate payment for your research. These companies have a responsibility to their customers. They all need to be paying bounties. Even the ones that have security departments should be paying them because people miss things all the time and the consequences of a breach are tremendous. Better pay a little now to avoid a lot of pain later.
It's not so much entitlement as that there is a real and active marketplace for security vulnerabilities. If Yahoo isn't going to pay, someone else is going to pay for vulnerabilities and that would be a lot worse.
I look at getting paid for bugs from the other side as well. The company can offer X dollars for a bug. Cool. So, you're buying my time.
Or I can take this bug to an Onion site and auction this bug off to the highest paying blackhat. It would most likely bed used for illegal purposes, but selling bugs isn't illegal if found accidentally.
>when did everyone become so entitled to getting something for reporting a bug/security concern.
When did everyone stop reflecting on how communication can be improved? Yahoo! wants to better show it's appreciation and gratitude for these security finds. Security researchers don't want their work cheapened.
I generally agree with this. It's trying to make a living off of handing in lost wallets or purses full of money then expecting a cut just for doing what any civilised person should do. Personally, I'm happy with a thank you, a t-shirt would have been a bonus.
People who imploded over this should be embarrassed. Here's a guy who was doing more than the company policy just to be nice, and everyone turns into complainypants over their perceived entitlement. Good on the company for course-correcting and instituting a proper reward program, but the way this was handled by the technical crowd is embarrassing.
It looked bad at first glance, but keep in mind they had no bug bounty program. Information about vulnerability reporting never said there would be a reward. Security bounties are a fairly recent trend, and I'd wager 99% of the web has no such policy in place. Maybe we expect the bigger companies to have one, but there's no guarantee. In the end, when no bounty is promised up-front, you can either take the low road and sell it on a forum, or take the high road and enjoy your T-shirt. Whether or not you're a good or bad citizen is up to you.
>Here's a guy who was doing more than the company policy just to be nice
Was that clear at all before, or was the "reward" just coming from generic Yahoo? It seems like he was essentially creating a de facto company policy, without company approval.
I think any time your company gets so much bad public comment that they have to rush out a public apology for something that has received a "-gate" suffix, it's reasonable to call that a fuckup.
They're surely paying a lot for their security team. And they know (or should have known) their competitors are offering substantial bug bounties. And they knew (or should have known) that one of their own people was spending significant time and money rewarding people reporting bugs.
The managerial fuck-up I see is not putting those things together and saying, "Hey, we should have a real bug bounty program if we don't want to look like cheap jerks." Apparently they were trying to rectify that, which is great. But if I were a manager there, the question I'd be asking is, "Why did we take so long to recognize and respond to this problem?"
As a security researcher and someone who regularly participates in bug bounties, thank you. You didn't have to do what you did, but you did it anyway, just to be nice; that should be applauded, not criticized.
Remember everyone: if there's no bounty program in place, reporting bugs means that your expected value for those bugs is $0. If you get more than that, that's awesome, but don't expect it, or act like it's deserved; it's not. Enjoy your Yahoo swag and go on with life.
I am fine with getting nothing, but I will get angry if you insult me after I just helped you. And telling me my skills are worth less than minimum wage (assuming it took more than 3 hours to find the bug _is insulting_).
This is asinine. You ask your friends to help you move, and they happily agree -- they're your friends, right? So they come over, they help you move for 5 or 6 hours. Once it's completed, you get some beer and pizza for everyone. The nominal value of those items is what, $5-6 per person? Holy crap, you just told your friend that their time is only worth $1/hr!
Yahoo didn't agree to give you money, didn't hire you to test, and didn't even say "hey, can you take a look at this?". It's completely irrational to then say that a gift that they provided you is an insult. In fact, I'll go further: it reflects very poorly on your own character, and not theirs.
A t-shirt is a great gesture from a dude, but a terrible one from Yahoo!
It's too bad that, in his role, he was or appeared to be acting on behalf of yahoo. The impermeability of corporate behavior meant nobody on the outside really knew the difference before now.
This can work well from a company also, its just that expectations should be met. We (Startup Threads) ship out shirts via API for companies and its overwhelmingly a positive response for recipients, as its done as a thank you for something that normally doesn't elicit a payment/attention (like bounties for vulnerabilities would)
Every single post on the first page of this guy's Tumblr is angry at someone or something. Who is this guy, and why are his opinions on management relevant?
so while i can't speak for him, what i can say is that i've known him for many years, worked closely with him on very large, global issues, and have found him to be a very standup, forthright guy who strives to make the world a better place.
It's very nice that he bought t-shirts at his own personal expense. He comes over as such a conscientious person that I feel bad "t-shirt-gate" happened.
If I were a security researcher and put a lot of effort into finding vulnerabilities for Yahoo I would have simply sold the exploits to the highest bidder, and invited Yahoo to participate in the auction. If they lost, then I'd go to the press with the story of how little their user's security means to them (again to the highest bidder.) Either way, (only in the long run in the second case), the users win and I'd sleep like a baby.
It's just as well I'm not a security researcher.
Edit: Wow a lot of drive-by-downvotes. I'm not serious guys, but I hope I have made some people think about the moral issues involved. It's not as clear as people are making it out to be in other comments on this post.
Why not just do the same for physical locations? You walk around a parking lot checking car doors, or maybe all the doors in an apartment building. If you find one unlocked, you text the owner and some local thieves so they can bid on the vulnerability...
Usually, behavior that would be shitty if done offline is just as shitty online. There is a fine line between freelance security research for bug bounties, which is basically crowdsourcing security testing, and rank extortion.
No, because in the car metaphor the person with the unlocked door is not putting thousands of innocents at risk. Now if he had an unlocked door, and the sign outside his building happened to read "Joe's Firearms and Ammunition" then forcing Joe to be more careful with his security, no matter if it's unpleasant for Joe, is a good thing for society on the whole. Doing that by auctioning the location of his store to thieves is obviously unethical.
That's why in my jurisdiction you can get fined up to 2000 Euros for that (a realistic amount is a low double-digit amount -- if nothing further happens, of course).
Nope, Yahoo is putting innocents at risk for having the bug in the first place - the bug/risk/threat was there (and possibly known by blackhats) before the finding. It's the duty of Yahoo to find and fix issues with data that is entrusted to Yahoo - they can try to find everything themselves, or they can pay others to do it instead.
No, if you read more closely, you'll see I'm the kind of person who likes to get paid for being a dick. My comment is a bit tongue-in-cheek, but the moral questions it raises are interesting. Well-being of company vs user. Short-term user security verus long-term user security. I don't think you can say categorically that it would be wrong, in some cases it could play out better for the innocent users. However, I don't think I'd really be comfortable selling an exploit to any party other than the company, but as mentioned in another of my comments here, the auction could be a bluff (especially if it's a hidden auction.)
Still, I think that the moral action (wherby "moral" I mean being disinterested and caring about outcomes for users) is fairly obvious in this specific case (Yahoo, has a good rep for taking security-issues seriously) - send them the patch that you have, regardless of compensation.
Yes, that's definitely more moral than my suggestion. However, you have to remember that not all "security researchers" are going to be so moral, and many of the more moral ones will simply not bother because they're not getting paid for their work. So users both gain and lose when you report an issue without compensation. It seems to me to be better to try to force the company into changing their policy, like what happened in this story. But it should be done without putting innocent users at risk (contrary to my original comment.)
While it does violate a bunch of cultural moral norms ... there is absolutely an argument in there that overall, over time, it would produce a more positive outcome for users than a straight white hat approach.
Refuting or discussing the argument would be interesting; painting the suggestion as objectively wrong using emotive terms doesn't really move us forwards.
To argue the other side, I think it is wrong because you can't know that the good you do will outweigh the harm you do. But everything, even seemingly beneficial things, have both good and bad effects and morality seems to be the art of balancing them. However, if somehow you had knowledge that the long-term good far outweighed the short-term harm, it seems like it becomes the ethical thing to do. In real-life you don't usually get that kind of certainty though.
If it leads to a better outcome, does it matter that it's blackmail? It's the age old moral question of do the ends justify the means. Like most moral questions the correct answer is not yes or no but "it depends." The real loser here would be the company with the retarded security policy, and they deserve what they get. If they have a bug bounty program, then naturally the ethical thing is to report the bug through the correct channels. If they don't then their users are the ones silently paying the price. If you wanted to be squeaky clean you could simply refuse to accept the highest bid if it wasn't from the company. In that case I really see no moral downside.
Yes, it is cute isn't it? Being serious for a moment, I don't think you can justify harming users now in exchange for potentially better security for them down the road - even although it is bound to sometimes play out best for them overall. The problem is you can't know that, and you're responsible for what happens good or bad in this case.
You could just state that I'm wrong, or you could explain why you think that. The second is valuable, the first is a waste of a comment.
Edit: why would anyone downvote this? Other than the owner of the useless comment anyway... For the record, comments on HN should have substance, it's in the guidelines when you signed up.
It's my policy to downvote any comment that complains about downvoting. However, it would be better in this case to not even respond to GP's inane scribbling. Trust the downvoters to get around to it eventually.
I prefer giving reasons why behavior should be corrected as opposed to downvoting and hoping they can divine why they were downvoted (like whoever downvoted my comment with the reason why his comment was bad, I have no clue what they objected to, so they accomplished little.)
Because it's pretty much an industry standard now, for those with a prominent web presence, to have an official bug bounty program[1]. Google, though likely not the first, is one of the more prominent companies to offer this -- and has been for several years -- to the tune of $100-$20,000[2]. A $10 t-shirt is laughable compared to that, to the point of almost being insulting.
Was it poor form to expect grandiose payouts from a company without a bona fide bug bounty program? I think so.
Is it even sadder that, up until publicly shamed, Yahoo had no bug bounty program whatsoever? Definitely.
> Because it's pretty much an industry standard now, for those with a prominent web presence, to have an official bug bounty program
This is so wrong, it's not even funny. Bug bounty programs are awesome -- I've participated in many of them -- but they're a tiny, tiny, TINY minority. Of the top 500 websites, how many have bug bounties? 10? That's not an industry standard; it's a nicety.
That's changing, but seriously, there's absolutely nothing wrong with not having a bug bounty program right now.
Microsoft has done some extremely limited bug bounties, but zero on the web side of things. Google, yes. But there are tons of major sites that don't have them, even the engineering-focused ones. Twitter being a great example.
Because they weren't sending out T-shirts; they were sending out gift certificates for $12. When it's presented that way, it feels like Yahoo is trying to say that's all the report was worth to them.
Imagine if you were outside shoveling a decent amount of snow then your neighbor asked you to help shovel his property. If you haven't shoveled snow before, it can be a somewhat laborious task. After you were finished your neighbor said "Thanks for helping me out" and then gave you 50 cents.
It would have been better if they just said "thanks."
Did the neighbor promise to give something in return before you began? Because if you start something with no promise of anything in return, then you shouldn't expect more than a thank you. To perform such a favor, then to expect something in return that was not offered reflects badly on you.
Wow. You complete and totally 100% missed the point of my story.
I used the example of neighbors because they are (in some neighbors) neighborly, and do altruistic things for each other. When there is a big snowfall in my neighborhood, all my neighbors come out and help each other shovel. There is mostly apartments here, so very few people own a snow blower and everyone needs to dig their cars out. I live alone and whenever someone sees me shoveling by myself, someone always comes over and helps me shovel without expectation of anything in return and its always a different person from last time.
When I make baked goods, I usually stop by the people who live in my building's apartments to see if they would like some of what I made.
I once needed help carrying something up the stairs, so I just knocked on a neighbor's door and he came out to help me. This it the neighbor who doesn't have to pay for internet because I let him use my WiFi.
There's somewhat of an "rule" if someone is in need of something, they just need to ask, and everything works because the give and take is pretty even, nobody takes and takes and takes without giving.
The point is, the person shoveling snow did it to be nice, and to help a neighbor out. Once the person being helped offered a reward in return, they are now putting a monetary value on the help they received and the value was insultingly low, saying "this is how much I value you." If they just said "Thank you very much" then it just remains as an altruistic gift to the community.
I used the neighbor example to make altruism more evident, to not think of it from a purely business prospective.
Yahoo have 2 choices to not offend people:
1) Bug finding is simply an altruistic act from the community.
I would say, based on your follow-up, that I understood your story quite well.
Just because someone gives you pocket change for helping them out doesn't mean they put that particular monetary value on your help, it could be just what they had on hand. As in, "here's a little more than just my thanks". You're the one getting needlessly offended. You could always turn down the offer, which you shouldn't because it could be considered offensive to refuse. Out of all the options you have in that case, you choose to be offended. That makes you a bad neighbor.
I fail to see how one can expect any form of compensation whatsoever from Yahoo when none was offered in the first place. Just because some places offer bounties doesn't automatically mean everyone does. If you expect compensation when none was offered, then it's your problem with being offended when not getting anything.
Sounds like they "got the picture" and changed their vulnerability reward system overnight to closely match their competitors. I can't think of a much better reaction than this.
As a bug hunter, I think initial problem is bullshit. There is NO POLICY about rewards in Yahoo. Nobody has right to "beg" a reward. Especially for "yet another XSS". Don't like the policy? Go sell that "XSS" if you can (nobody buys it btw).
I just felt the first bit of positive goodwill towards Yahoo I have felt in a while. It is important to recognize that behind more company actions and policies, there are people. Sometimes doing the best they can.
Did Ramses Martinez have the authority to pay people who found issues and instead sent tee shirts? Have people been paid in the past? If yes to both, the "no good deed goes unpunished" and "I'm new here so lay off" response is disingenuous. However, if there was no way Martinez could have paid bounties or no history of payouts, the grumpy response to not being showered with cash is unreasonable. (And perhaps Martinez, et al., already knew of this particular vulnerability.)
I'm still impressed that companies reward the reporting of security issues, whether it's sending a small "thank you" gift, posting one's name on a "hall of fame" page, or cutting them a check. In the mid-90's, I notified a company of a major security vulnerability and all I got was a visit from the FBI and my computer taken away for 16 months. We've sure came a long way!
I don't know what the T-Shirt looked like, but I am imagining it is a "I reported a critical bug that affected millions of users and all I got was this stupid T-Shirt" kind of thing.
Which, frankly, was a pretty cool gesture of thanks from the person writing. In a way I'd like them to keep the T-Shirts regardless of adding the monetary bounty.
A classy, concrete response in a human voice. This is exactly how great companies communicate.
Putting together a bug bounty program for a company like Yahoo is a lot of hard work with tons of tiny gotchas. It can take forever, and it's never ready when it needs to be. Looking forward to it.
I guess a Yahoo shirt isn't quite the recognition factor of a very small check from Knuth. I dearly hate when someone spends their own money and basically gets the shaft. People wonder why individuals aren't nice.
A year from now people will be wanting the shirt instead of $150, because it'll be 'cool' and a visible way of showing off instead of just having an extra $150 in your account.
I Google or Yahoo rewarded minor bugs. They should care about 404s or a tool tip bubble with no tip. I find minor bugs on all major websites all the time.
Problem is, minor bugs like a 404 don't majorly impact their operations as much as being able to get into someone else's email or reset someone else's password. Typos aren't worth anything when it comes down to impact to business.
Seems like too little too late. The tshirt thing might have been in good faith, but wow was it a slap in the face. I wouldn't be surprised if exploits were sold for less than what they could fetch from Yahoo as a sort of candid rebellion. I'd love to see someone find an exploit, and then send Yahoo a shirt.
My neighbor left their front door unlocked while they were on vacation. I kindly locked their door and notified them and they sent me a nice bottle of wine in thanks. What a total slap in the face. A security vulnerability like that, I should be entitled to at least a home-cooked dinner invite. Now if you'll excuse me, I have a whiny blog post to write and I will also be embarrassing myself on Twitter via a series of self-entitled rants showing to the world how insecure I am.
One unlocked front door does not equate to a vulnerability allowing anyone to take over your @yahoo.com email account, unless of course in that house there was a file cabinet full of other people's personal information.
Granted, the security researcher lamenting the lack of Yahoo's appropriate bug bounty program has no right to be righteously indignant about a gift certificate, but it seems clear now that Yahoo knew there was a problem with their bug bounty program and were in the process of fixing it anyway. I have no idea how much money such a vulnerability would be worth on the black market, but I suspect it is more than $12.50.
If I am ever in a position fortunate enough to have to make this sort of decision, I can say that I will be keenly interested in keeping these security researchers on my side. That appears to be exactly what Yahoo is doing now, so kudos to them!
do something nice for someone where they offered no reward :
they gave me something because they thought it was nice
do something for someone who never offered to give you anything but you expected a thousand dollars anyway :
they gave me something because they thought it was nice
Except replace neighbor with corporation worth millions if not a billion and millions of users, unlocked door with door wide open, and vacation with home 24/7.
Also if a nice bottle of wine costs $100 from a neighbor making a median of 100K a year scale it up to a company with the profits of Yahoo and do the math on a tshirt.
What's it worth to Yahoo if someone finds an exploit that can expose all users? A friendly smile and handshake? Or another snarky reply on the internet.
A slap in the face? I know bug bounty programs are a very good idea, no arguments. If a company doesn't have a formally posted bug bounty, though, I wouldn't be looking for vulnerabilities for money. Approaching a company with no formal structure in place to assess or pay out bounties, and saying 'you owe me a bunch of money' is never going to be a winning proposition.
I think what this guy was doing was awesome; he clearly understands the value of the work researchers were doing, and he did what was in his power to thank them. Compared to getting no reaction, or a terse email, this is probably in the top 20% of responses to random vulnerability disclosures.
This is self-entitled bullshit. If you (not you, but people in general) want to make a living off of reporting bugs, then get a job in the field, or know which companies are explicitly paying bounties. How is that expectation of a reward anything more than blackmail?
You're coming at this all wrong. Take a step back and think about the users. Imagine your a Yahoo user and you learn that a hacker finds an exploit to take over accounts and tries to submit it to the company. They in tern send him a tshirt a friendly smile and a handshake. What does that tell you about the company? Does that make you feel like your account, data, etc is secure and more exploits will just be handed over?
It's not about the money, it's about sending a message. And instead of chaos and people wearing masks, we've got vulnerabilities, and the idea the Yahoo actually values its users.
