This has nothing to do with Yahoo - this has to do with every time there is someone complaining about them not receiving the bounty they wanted - and in this case about getting a t-shirt as a thank you. I am happy Yahoo is putting a reward program in to place - but the general commentary from the community annoys me.
It's simple pragmatism. I'd expect that HN, of all places, would get this. (And most seem to.)
You are a security "researcher". Maybe that means you work with a group of bona-fide professionals, maybe that means you're still in high school.
Either way, you have the capability to break things. But, breaking things isn't trivial; you don't expect to spend a few minutes "poking around" and come up with something, especially something interesting.
So you have some choices. You can: try to break things which will give you rewards proportional to the time you spent and the severity of what you find; try to break things which will give you almost no official reward at all; or try to break things and then sell the solution to the highest bidder or make use of it yourself. (Let's assume that people aren't generally in the habit of working for free.)
Now then. You're Yahoo, with millions of user accounts and a not-great track record for security. What would you prefer for the hacker to do, and how would you incentivize them to do it?
You can gripe about "the community" or "entitlement" all you want -- until it becomes sufficiently annoying or unproductive -- but that won't change the end result, which is that companies which give substantial rewards for bug bounties are creating a marketplace where they win by getting lots of good talent to examine their systems without paying by the hour or day for it and the company gets first dibs on the details of the bug.
People lose. As in, real flesh and blood people. Everyone seems to think, "Ah, they'll just sell it to the highest bidder." You know what, screw that belief, and screw those people who think that way. You do that, you become evil. End of story. Should it be the company's job to ensure this doesn't happen as best as possible? Yes. Does the lack of a reward justify the demonstrably evil behavior of selling vulnerabilities? No. Sick and tired of the idea it's ok to sell a vulnerability wherever the money is. When is the computing community going to step up and put an end to morally wrong behavior like this? We need to ostracize those people, not condone and justify such behavior.
it's a bit more complicated than that, though - it's not that the same people who would have found and reported vulnerabilities to yahoo if they were properly incentivised will instead turn around and sell them to the highest bidder. the black-hats will always get a higher reward from other criminals than they will from the companies; the point is that if you can also get a white-hat to report stuff to you, you can perhaps fix it before the criminals exploit it.
in the absence of incentives, the danger is that the white-hats will simply not bother with you. and yes, people lose, but you cannot really lay a moral responsibility on people to help a profit-making company out for free just because if they don't other people might get hurt.
Sick and tired of the idea it's ok to sell a vulnerability wherever the money is.
The idea that money always overrules morals is a deep and pervasive belief in the business culture of this country. The vuln market is no exception and is a symptom, not a cause.
When is the computing community going to step up and put an end to morally wrong behavior like this?
About the same time any other industry puts an end to the morally wrong behavior they engage in (read: never).
Or, to push the same buttons as above but in another direction: when did everyone become so entitled to getting exclusive access to a bug/security report about them instead of competing for it in the market like anyone else?
I agree. I think the problem is conflating the dark grey market[1] values of vulnerabilities with their white market values.
Reportedly there is a lot of money in the security vulnerability dark grey market at this particular moment in time, and that seems to be pushing up the perceived monetary value of these vulnerabilities.
But if you think about it, it would feel an awful lot like extortion for a researcher who's found a vulnerability to allude to the grey market value of a vulnerability in a responsible disclosure discussion. This is kind of what the community is doing by consistently bringing that point up in regards to rewards for such responsible disclosures.
At the end of the day, if the researcher is virtuous, then the black/grey market value of the vulnerability is irrelevant, and so acknowledgement of the issue, followed by rapid action to close the vulnerability, and optionally, a token of appreciation is plenty of reward for the disclosure from a moral point of view.
Now, I'm not naive. I believe that people respond to incentives and when you're talking about incentives, then the black/grey market values do come into the calculation. But that's a purely amoral and pragmatic optimization problem, and therefore not a proper object for the moralizing that we've seen regarding these programs.
I don't have any particular issues with pontificating about how a particular company could be more effective if it increased its bug bounty rates[2], but any pseudo-moral outrage is hollow because it's founded on the assumption that moral and immoral disclosure are relatively equivalent options.
[1] That is, it's not always technically illegal, but I think that the market is fairly universally regarded as antisocial if not a major threat of the day.
[2] Though it would be very difficult for a company outsider to actually accurately determine the value of responsible disclosures to a company. There are a whole lot of vulnerabilities in complex software, and really, any particular disclosure is essentially worthless. I would imagine that the real monetary value of a given disclosure is orders of magnitude less valuable to the vulnerable company than it would be to a potential attacker. For the vulnerable company, they still have a vulnerable product after fixing the particular vulnerability, but for the attacker, they have a successful attack vector by having knowledge of the particular open vulnerability. Also, I can't imagine that the value of a particular vulnerability is proportional to the company's revenue/valuation/etc. which is the metric that seems to always be trotted out when talking about how a particular company's reward program is not generous enough, especially with regards to "billion dollar companies"
