> It's also disappointing that EA has yet to start a bug bounty program. Without any real incentive to report vulnerabilities, I know people who have instead chosen to keep them to themselves. I would love to see EA follow the rest of the industry's lead here.
Does that mean the author got nothing for reporting this?
I mean, after all, that's what we are all here for right? Fish and legal liability.
It's disappointing how many companies don't offer a bug bounty. I have a hoard of vulnerabilities I've found over the years just sitting in my head. It doesn't help that there are legal risks with reporting them & they can technically sue you to hell (EU/UK)
It's probably the result of some very backward-thinking rationale: "If we get hacked by the bad guys, our shareholders will point to these bounties and say 'wait, you're activetly paying people to hack you and now they did and you're going to have to write down and additional $X Million?'. " Execs afraid of having egg on their face, perhaps.
yeah it could go that direction too: "hey, you paid these people to find bugs, they found one, you paid them a princely sum, and this exploit that cost the company $X Million was based on that bug. Why are you paying people to help hackers destroy your company?!?"
It's not true that they got nothing. There's always the possible threat of legal action against them for reporting the vulnerabilities.