I would agree, take the case of I believe it was United airlines. Someone found a vulnerability in their systems and received a million frequent flyer miles in return. A lot of times people get jobs out of these discoveries and are placed in some sort of security consulting position.
> On Aug 13, 2015, at 4:06 PM, Littlefield, Tyler <ty...@tysdomain.com> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Generally they do actually pay people who find security problems or > payment can be worked out. But finding exploits isn't as easy as > tweaking a setting here or there, it takes a lot of work. Usually when > you do it there's other reasons behind it--being the one to find an > exploit gains you a lot of reputation. Others do it to sell the > exploit as a zero-day vuln, which is illegal. > On 8/13/2015 2:52 PM, Shaf wrote: >> That's good for you. A wealthy company such as Apple should pay >> those who find security holes and report to them. >> >> On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: >>> Hello: A lot of companies do have bounties like this. For >>> example, the company I worked for works on Drupal. There was a >>> bounty offered through the association. I report stuff like this >>> I find when it is a problem, not because I want to get paid but >>> because that's the only way to fix things. I do it because it's >>> the right thing to do and it helps other people. Any security >>> holes that can be fixed, regardless of whether or not I get paid >>> helps me (as I'm obviously using the product) and it helps others >>> as well. >>> >>> Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >>>> Why should I tell Apple of exploits if they don't pay me?? They >>>> should introduce a bug bounty program. Otherwise I have no >>>> interest in keeping their bugs confidential. >>> >>> >>>> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >>>>> With the complexity of OSX and iOS I think if somebody >>>>> figures out the right combination of tweaks to bypass >>>>> security they should tell Apple right away and hold off a bit >>>>> before telling the world. At least give them a chance to fix >>>>> it before giving a free hand up to the bad guys. Of course >>>>> that lead time needs to be kinda short as the vulnerability >>>>> needs to be fixed before some bad folks find it and/or >>>>> continue to use it. With Apple's automatic updates it can >>>>> also be a while before a reasonable chunk of the population >>>>> has installed the patch. So I'd guess 90 days would be pretty >>>>> reasonable. If a patch hasn't been released by then then it's >>>>> time to put public pressure on Apple. >>>>> >>>>> That said, the oasis of pulchritude hasn't entirely dried up. >>>>> Yes, there are issues and the popularity of the platform has >>>>> attracted unwanted attention from certain quarters but at >>>>> least there seems to be a reasonably good attempt to put >>>>> locks on all the doors. They just sometimes forget and leave >>>>> a window open. >>>>> >>>>> CB >>>>> >>>>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>>>> I don’t agree with the author. Of course, this is >>>>>> MacWorld—some amount of Apple butt-kissing is to be >>>>>> expected—but I find his attitude very worrying. >>>>>> >>>>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>>>> choice of researchers, and privileged authors of the press >>>>>> shouldn’t be using their personal ethical judgements >>>>>> about it to suppress public information about flaws simply >>>>>> on that basis. That alone is reason enough to simply >>>>>> distrust any further writings of the author. I am >>>>>> personally of the opinion that we are well past the >>>>>> usefulness of “Responsible disclosure” as a strategy; >>>>>> giving companies rope, but not quite enough to hang >>>>>> themselves with, isn’t moving security forward any faster. >>>>>> >>>>>> Second, and more important, a privilege escalation >>>>>> vulnerability isn’t a problem for advanced users, who >>>>>> already know what Glen is suggesting, i.e. don’t run dodgy >>>>>> software. It is precisely those people who have been >>>>>> trained, per the standard advice, not to type in their >>>>>> passwords when they are suspicious who will be most hit by >>>>>> the root bypass. Obviously, better advice would be “Just >>>>>> don’t trust anyone”, but that’s not how the world works, >>>>>> sadly. I think it’s time for us to acknowledge that the >>>>>> Mac, once a peaceful neighbourhood with only the occasional >>>>>> bit of easily-preventable rogue badness that you could get >>>>>> rid of by just clicking “No” or “Cancel” or whatever, is >>>>>> now increasingly occupied by bad software that is >>>>>> well-advertised, easily installed and hard to recognise by >>>>>> a lot of inexperienced people, and anybody giving a Mac to >>>>>> somebody to keep them (the recipient) quiet and out of >>>>>> their (the donor’s) hair now needs to hold Apple’s once >>>>>> glorious patch turnaround times to account. This is >>>>>> *especially* true if the donor has delivered the Mac with a >>>>>> limited user account and all necessary software already >>>>>> installed or only accessible from the Mac App Store, >>>>>> because as soon as Flash becomes the vector, we’re all >>>>>> finished. >>>>>> >>>>>> Microsoft have learned their security lessons the hard and >>>>>> painful way, and now it’s Apple’s turn. Please don’t give >>>>>> apologists fodder for their absurd denials. >>>>>> >>>>> >>> >>> >>> >>> >> > > > - -- > Take care, > Ty > twitter: @sorressean > web:http://tysdomain.com > pubkey: http://tysdomain.com/files/pubkey.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJVzPjVAAoJEAdP60+BYxejsEsH/RQD/njOgH+4PwMAgwW432Tr > 9JJcxHRZPpf4rA7EZQFJHJ9kkogNun7Zw2H9sK7Va3mwCaOWlSVuXlMBjg5PZCAE > iXT7QL2mSKQPHjSAdteO5g7SWIQmJ8VDONTX+WBeyWHDjJx2L2IWS9fPPuHyEJoX > JlUuioXikrBbqYXISN+jBzvLK3g5JwnDkXUIWiN4B+ZHe2+d08sGJQwXTg/i46W8 > PL/VcHYA1SC86usWvXY4khTOQLUFCDC/Q6Q01qg1x/K41ib61v2a9+uVeg9HMQ9z > OTwpYLZ00M4dCkc/SMFOgMlbcJz8ydmC654xAqjixmU94flfK3A3YAtOQeWLQKg= > =7lHy > -----END PGP SIGNATURE----- > > -- > You received this message because you are subscribed to the Google Groups > "MacVisionaries" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to macvisionaries+unsubscr...@googlegroups.com. > To post to this group, send email to macvisionaries@googlegroups.com. > Visit this group at http://groups.google.com/group/macvisionaries. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
