bruh2 10 months ago

Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?

Reply View 1 reply
  • Spivak 10 months ago

    They offer a low price because the risk of tanking your career, landing yourself in jail, and the fact that the researcher probably doesn't know how to line up a sale means the company is the only buyer.

    I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.

    Reply View 0 replies
dgellow 10 months ago

Yeah, that was my first reaction. I'm really surprised they were cheap on this

Reply View 0 replies
isoprophlex 10 months ago

Yeah, you have to have some solid backbone not to sell this off to some malicious party for 20-50x that amount...

Reply View 8 replies
  • umanwizard 10 months ago

    Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.

    Reply View 5 replies
    • pityJuke 10 months ago

      > also wouldn’t know how to contact a “state actor” even if they wanted to.

      That's why brokerages like Zerodium exist - you can sell it to them, and they'll sell it onto state actors.

      Reply View 2 replies
      • apitman 10 months ago

        How does this work in practice? What systems are in place to prevent someone selling an exploit and then turning around and disclosing it properly as soon as they have the money, potentially getting even more money through legal channels? Is there some sort of escrow?

        Reply View 1 reply
        • [removed] 10 months ago
          [deleted]
          Reply View 0 replies
    • diggan 10 months ago

      > Am I too optimistic? I feel like most regular people I know wouldn’t sell this off.

      Probably you're just used to a relatively good life, not a bad thing :)

      Image being able to sell this off for $20,000 (although I think you could ask for more, seems to be a really bad vulnerability) in a marketplace, for >90% of the world that's a pretty good amount of money that you could survive a long time on or add a lot of additional quality to your life.

      Reply View 0 replies
    • timeon 10 months ago

      Opportunity makes a thief. Most people does not have the opportunity even if they have skill.

      Reply View 0 replies
  • saagarjha 10 months ago

    A malicious party who wants a vulnerability in a browser effectively nobody uses?

    Reply View 1 reply
    • shepherdjerred 10 months ago

      Arc is used disproportionately by users who work in tech which tend to be paid quite well.

      Am I wrong in thinking that with this vuln you could drain any financial accounts that they log into Arc with? Or, if they use Arc at work, that you now have a way to exfiltrate whatever data you want?

      A browser vuln is about as bad as an OS vuln considering how much we use browsers for.

      Reply View 0 replies