Comment by acheong08

Comment by acheong08 9 days ago

3 replies

View on Hacker News

It's disappointing how many companies don't offer a bug bounty. I have a hoard of vulnerabilities I've found over the years just sitting in my head. It doesn't help that there are legal risks with reporting them & they can technically sue you to hell (EU/UK)

gosub100 9 days ago

It's probably the result of some very backward-thinking rationale: "If we get hacked by the bad guys, our shareholders will point to these bounties and say 'wait, you're activetly paying people to hack you and now they did and you're going to have to write down and additional $X Million?'. " Execs afraid of having egg on their face, perhaps.

Reply View 2 replies
  • caseyy 8 days ago

    It’s probably more in line with “no one reported any bugs so probably there aren’t any”.

    Reply View 1 reply
    • gosub100 8 days ago

      yeah it could go that direction too: "hey, you paid these people to find bugs, they found one, you paid them a princely sum, and this exploit that cost the company $X Million was based on that bug. Why are you paying people to help hackers destroy your company?!?"

      Reply View 0 replies