qmarchi 9 days ago

BattleDash - "Here's XSS, Account Takeover, Ban Reversal, and a heads up before I publish it"

EA - "So here's $0."

If anyone is at EA, this man just saved the integrity of your entire empire, you might want to give him at least a token amount.

Reply View 4 replies
  • londons_explore 9 days ago

    My experience with big companies is even if the whole IT security team thinks this is worthy of a bounty, and the team has plenty of budget they could allocate to it, the process of giving money to an individual is frequently so difficult to get through the bureaucratic purchase order system that it's basically impossible to do unless you are contractually obliged to pay.

    Reply View 1 reply
    • nijave 8 days ago

      Probably easier to hire them on as a consultant than "give them money"

      Reply View 0 replies
  • JohnFen 9 days ago

    EA is a famously horrible company. I don't think they care much about the "integrity of their empire" because their customers don't care.

    Reply View 1 reply
    • foobranded 9 days ago

      When I was in college, I once found some bad exploits in the sims social on Facebook, the subsidiary (Playfish?) behind it asked me for my address and which console I owned and then unexpectedly sent me a huge number of games and goodies. It was great. Better than money, I think (I sold some of those games anyway).

      I reached out to employees via unofficial channels. I'm sure if I had spoken to some exec I'd be in jail right now.

      Reply View 0 replies
boomchinolo78 9 days ago

Until we see something like this,

The company is liable for $10 per hacked user minus 100X the bounty spend for that year.

Reply View 0 replies
Perz1val 9 days ago

Would it be legal to publish any future vulnerabilities without giving them heads up?

Reply View 0 replies