Hacker News new | past | comments | ask | show | jobs | submit login

OP here. Really interesting to get your take on that. From my (far less security educated) POV the Google XML bug felt less risky from a monetisation angle.

I guess the difference is between exploiting it yourself vs selling it. There was a clear path to monetisation that didn't require selling the exploit on the black market, and which could well fly under the radar (from my reasonably well educated SEO POV).

However, I don't think bug bounties necessarily need to equal the 'market value' of the bug, whatever that means.




Just to clarify, when I said market value I was referring to the highest price you would get if you sold it on the open market (of course in this case you wouldn't just list it on ebay). Which is different from Google's bug bounty program as they are the only buyers in that system and could offer you as little as they wanted (or nothing at all), and you would have no recourse.


The logic I'd use is that selling a bug with full knowledge of the specific criminal or tortious activity it will be put to use in is more dangerous than selling a bug that has a relatively diverse market of buyers and for which you'd have strong plausible deniability (not to mention a network of gray-market middlemen insulating you from any actual knowledge of offenses). My mental model of this is Stephen Watt --- but I only know the surface level of what was reported in that case.

Generally just my logic would be: selling bugs for which there's an established market is safer than selling one-off bugs to idiosyncratic buyers.


That makes absolute sense to me, and I agree.

However, it doesn't cover the aspect that some bugs are directly monetizable without needing to be sold (as was the case with my Google XML Sitemap exploit).

Of course, there is a risk to directly monetizing such a bug too, but the risk calculation is then different.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: