Comment by tomjakubowski

Comment by tomjakubowski 10 months ago

17 replies

View on Hacker News

Hi Hursh, I'm Tom. A couple friends use Arc and they like it, so I had considered switching to it myself. Now, I won't, not really because of this vulnerability itself (startups make mistakes), but because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users. I won't use a browser made by a vendor who takes the security of their users this unseriously.

By the way, I don't know for sure, but given the severity I suspect on the black market this bug would have gone for a _lot_ more than $2k.

poincaredisk 10 months ago

Selling vulnerability on the black market is immoral and may be illegal. The goal of bug bounty programs was initially to signal "we won't sue white hat researchers who disclose their findings to us", when did it evolve into "pay me more than criminals would, or else"?

Reply View 8 replies
  • tolmasky 10 months ago

    Let's set aside morality for a second. There is a reason low payouts are bad without even having to consider the black market: it pushes people to search for bugs in a competitor's app that pays more instead of in your app!

    If your app is paying out $2K and a competing app pays out $100K, why would anyone bother searching for bugs in your app? Every minute spent researching your app pay 1/50th of what you'd get searching in the competing app (unless your app has 50x more bugs I suppose, but perhaps then you have bigger problems...).

    I'm always so confused by the negative responses to people asking for higher bug bounties. It feels like it still comes from this weird entitlement that researchers owe you the bug report. Perhaps they do. But you know what they definitely don't owe you? Looking for new bugs! Ultimately this attitude always leads to the same place: the places that pay more protect their users better. It is thus completely reasonable to decide not to use a product as a user if the company that makes the product isn't paying high bug bounties. It's the same as discovering that a restaurant is cheeping out on health inspections and deciding to no longer eat there.

    Reply View 7 replies
    • voidwtf 10 months ago

      Bug bounties are always in relation to severity, number of users potentially at risk, and market cap. A browser operating at a deficit from a small company with a small market share cannot pay 100k even if they wanted to.

      If you and a couple friends released an app that had 50k users and you’d not even broken even, can I claim my 100k by finding a critical RCE?

      Reply View 5 replies
      • tolmasky 10 months ago

        No, because you probably haven’t bothered to find said CVE. There’s a strange refusal to understand the simplest market considerations here. I understand it sucks and you may not be able to afford it, but the consequence, regardless of all the reasons you can give, is that you will get less of the right kind of attention (security researchers). Now, you can hope that you will also get less of the wrong kind of attention too, and if you’re lucky all of these will scale together. Or, alternatively, you can for example not start by introducing features like Boosts that have a higher probability of adding security vulnerabilities, counter-acting the initial benefit of riding in Chrome’s security by using the same engine. Browsers are particularly sensitive products. It’s a tough space because you’re asking users to live their life in there. In theory using Chromium as a base should be a good hack to be able to do this while plausibly offering comparable security to the well established players.

        Long story short, there are ways to creatively solve this problem, or avoid it, but simply exclaiming “well it would be too hard to do the necessary thing” is probably not a good solution.

        Reply View 3 replies
      • netdevnet 10 months ago

        Put it this way. If someone got hold of the vuln and exploited all the users and they all sued you, how much would it cost to defend yourself in court (not even considering winning or losing)

        Reply View 0 replies
    • xelamonster 10 months ago

      Right, part of the idea is to close the gap in incentives for white hats looking for vulnerabilities to report and black hats looking for the same to exploit. You don't have to beat the black market price of a vuln because that route is much riskier, but somewhere at least in the same order of magnitude sounds decent.

      It's not about viewing security researchers as sociopaths who will always sell to the highest bidder, the fact is there will always be criminals going for exploits and bug bounties can help not just by paying off someone that would have otherwise abused a bug but also by attracting an equally motivated team who would otherwise be entirely uninvolved to play defense.

      Reply View 0 replies
JumpCrisscross 10 months ago

> because you paid a measly $2k bounty for a bug that owns, in a dangerous way, all of your users

The case is redeemable. It may still be an opportunity if handled deftly. But it would require an almost theatrical display of generosity to the white hat (together, likely, with a re-constituting of the engineering team).

Reply View 0 replies
ljm 10 months ago

You have no idea but you suspect someone could have made more?

Reply View 2 replies
  • xelamonster 10 months ago

    After thinking about it for a good long ten seconds, yeah. It would be very easy to steal users' banking information with this. If you crack into one single bank account you have a decent shot at making over $2k right there, a skilled hacker could do a lot more.

    Reply View 0 replies
tengbretson 10 months ago

So you're not going to use Arc. How much do you pay for the browser you do use?

Reply View 2 replies
keepamovin 10 months ago

Should have at least paid €1 per user. Eh, maybe that’s what they did?

Reply View 0 replies