Comment by bloopernova

Comment by bloopernova 10 months ago

Will you be increasing the bug bounty payout? $2,000 is a tiny fraction of what this bug is worth, I hope you will pay the discoverer a proper bounty.

You've been handed a golden opportunity to set the right course.

JumpCrisscross 10 months ago

> $2,000 is a tiny fraction of what this bug is worth

The Browser Company raises $50mm at a $550mm post-money valuation in March [1]. They’ve raised $125mm altogether.

Unless they’re absolute asshats, they’ll increase the bug payout. But people act truly when they don’t think they’re being watched—a vulnerability of this magnitude was worth $2k to this company. That’s…eyebrow raising.

[1] https://techcrunch.com/2024/03/21/the-browser-company-raises...

Reply View 8 replies

shuckles 10 months ago

"We will let anyone run arbitrary JavaScript on all your web pages if you send them a referral link" is surely a 6-7 figure vulnerability for a web browser. That this vulnerability was discoverable using about two steps of analysis tools suggests many more issues are in the product.

Reply View | 5 replies
- rafram 10 months ago
  
  Not just that - seems like it allowed running privileged JavaScript (full access to your system) on the preferences page as well.
  
  Reply View | 4 replies
  
  voiceblue 10 months ago
  
  It is very strange to me that their attitude is "no one was impacted" and this is "hypothetical". Any serious company would immediately consider this to be a case where everyone was impacted! This is like coming home to the worst neighborhood on the planet to find your door wide open, and immediately putting on a blindfold so you can continue to pretend nothing's changed.
  
  Reply View | 3 replies
cutemonster 10 months ago

They have more users than what I could have guessed:
> As of July 2023, The Browser Company has 100,000+ users
https://www.boringbusinessnerd.com/startups/the-browser-comp....

Reply View | 0 replies
behringer 10 months ago

It doesn't matter what bug bounty pay pay. If it was 200k people would say it's not enough.

Reply View | 0 replies

rattray 10 months ago

Hursh responded elsewhere on the thread:

https://news.ycombinator.com/item?id=41606219

Reply View 0 replies

Laaas 10 months ago

Any new vulnerability will be sold to the highest bidder and/or exploited instead of being reported for the bug bounty because of this.

Reply View 4 replies

poincaredisk 10 months ago

Most of the vulnerabilities I've disclosed, and I've seen disclosed, were disclosed for free, with no expectation of getting anything. Why do you think every researcher is an amoral penny pincher who will just sell exploits without caring for the consequences?

Reply View | 2 replies
- Novosell 10 months ago
  
  Wanting money to live = penny pinching. Very cool.
  
  Reply View | 0 replies
- lukan 10 months ago
  
  Projecting?
  
  Reply View | 0 replies
UncleMeat 10 months ago

I know a lot of different people who do independent security research and have submitted vulns to bounty programs. Not a single one would even come close to saying "well, the bounty is low so I'll sell this on the black market."
Low bounties might mean that somebody doesn't bother to look at a product or doesn't bother to disclose beyond firing off an email or maybe even just publishes details on their blog on their own.
Bounties aren't really meant to compete with black markets. This is true even for the major tech companies that have large bounties.

Reply View | 0 replies

[removed] 10 months ago

[deleted]

Reply View 0 replies