PayPal has fixed a critical flaw that allowed an attacker to delete any account at will and replace it with one of their own. In April, security researcher Ionut Cernica discovered that US PayPal account holders could add an email address to someone else's account by visiting a PayPal webpage. This then allowed the account to be …
"The bug will net Cernica $3,000 at most,"
That's not going to encourage people to help a company. He deserves 10 times that.,
Those who are honest are not motivated by the amount of money they receive as a reward, they are motivated by doing what is right. If the amount of the reward is what determines what a person does, then they have no moral compass and that will eventually be their downfall.
Re: Good job
Oh man, it has nothing to do with honesty. It's about legal protection.
While I agree that greed is a bad thing in such circumstances, I doubt the vast majority of people that do this sort of thing for a living are thinking of Bugatti Veyrons and spending time in the Casino in Monte Carlo.
These guys could have exploited the bug and made a fortune out of it. They didn't (as far as I know) they took a measly $3,000 for their efforts. What you don't understand Born2Win is the amount of risk involved in embarking on such honesty. We live in a time where being honest can land you with some in the nick. The problem we have at the moment is that it is far easier and probably less risky to exploit a bug for financial gain than to disclose it for kudos.
What is needed is a standardised procedure for such disclosures to occur. We have systems for helpdesks (ITIL), software testing (ISEB) and project management (Prince) etc but why not a standard officially (hesitated and removed government) ratified protocol for bug disclosure? Also, we have organisations that oversee energy, communications and television. Why not one for digital security?
Disclosing a bug to the likes of PayPal et al is a roll of the dice. What these guys pulled off is a very grey area in law. It could be interpreted in the UK under Section 1 of the Misuse of Computers Act and probably other such outdated legal flim flam.
Therefore financial reward is necessary to allow people like this to have a small stockpile of cash to protect themselves in the event of a future disclosure resulting in a lawsuit.
Honesty isn't cheap my friend, it can be rather costly.
Whatever happened to to 'stick em up, give me the money'.
It went the way of Dick Turpin.