As if by magic ....
only yesterday I commented on the shitfest waiting to happen once you turn what should be a paid job -i.e. bug hunting - into a lottery after the Microsoft bug bounty initiative.
A security bod angry at Valve's handling of bug reports has disclosed a zero-day vulnerability affecting the games giant's flagship Steam app. Russia-based bug-hunter Vasily Kravets said that he was releasing details of the flaw, an elevation-of-privilege hole, after a series of poor interactions with Valve led to him getting …
Seriously, you're prepared to argue that Valve not paying this bounty is because of MS?
Go on then, "bare facts" me up!
Grin, it's just too easy to get some people excited these days. I need another 111 downvotes to hit the 10k, though, so expect more :).
You probably still use "M$" too.
Nah, that's too easy and boring. Also doesn't quite get any of the antsy reactions.
Don't worry, it wears off. Once I have the downvotes I was after I'll stop poking fun at Microsoft for a while - I want their PR people feel safe first :).
Seems like lately the microsoft pr army has landed at ElReg. They don't know humor, just downvoting and preaching the religion.
Finally someone who gets it, I had almost given up hope. That's all I have been doing - merely offsetting the Microsoft PR army - but some people have (a) no sense of humour and (b) take this as personal affronts which I frankly find hilarious.
That said, I don't actually like to troll that much (I'm more for the occasional good natured prod), but Microsofties appear to be so extraordinarily sensitive that its kinda hard to fight the temptation.
Oh, by the way, please go ahead and downvote. I'm trying to win a bet :).
it takes a hell of a lot to get yourself banned from HackerOne. That implies there's more to this story then is being told. At the very least I have to assume he was extremely abusive to the staff there.
Bug Bounties are always hit and miss for payouts. What one person considers a critical flaw another considers unimportant. Getting abusive for having your claims denied is unacceptable either way. Releasing the code into the wild after having it denied is also a complete d&ck move. It just shows you dont actually care about the security of your fellow netizens, you're just there for the potential payout...
Of course people are in it for the money. Thats not in question. But releasing the code into the Wild doesnt get you paid either, but it DOES put everyone else in danger. So I reiterate its a d&ck move.
It also seems pretty dodgy to me, that he found this bug in Steam AFTER he had already been banned from Steam's Bug Bounty Program. If you've already been told they wont pay you for anything you find, why would you spend time hunting for bugs in their program? the only reason I can come up with is malicious intent.
People are in danger whether he releases it or not. Would you prefer to be in danger and NOT know about, or be in danger with the knowledge that you are in danger? I would at least prefer to know.
You also assume that he looked for the bug AFTER he had been banned. It is a far more likely scenario that he found both bugs at the same time, They are, after all, variants on each other.
Additionally, in a previous post you decried that he was just "into it for the payout" and didn't care about his fellow net citizens. Now, however, you just equated searching for bugs without expectation of payout as "malicious intent".
If hunting for bugs with expectation of payout is bad, and hunting for bugs without expectation of payout is bad, then by your definitions ALL bug hunting is bad.
He tried responsible disclosure first -- they told him that they were not interested and banned him.
People are in danger whether he releases it or not.
I'm not so sure about this particular bug. If someone has physical access to your PC/laptop, then maybe. However, if you walk into where your computer is located and there's a guy wearing a hoodie with a bunch of 1's and 0's floating around him, then yes, you have a real problem.
Or a lan party...
Physical access usually means in this context connected to same switch/subnet/lan, has no need to transit a firewall, or c$ is open and accessable , not physical access is required as the device is air gapped, accessible only through 5 vault doors and 100m under ground
Maybe true, but he wasn’t banned from HackerOne, just from Valve’s part of it. That’s not quite the same thing, and may well have been the result of someone at Valve thinking he was irritating.
Unrelated note, what is it that Valve actually DO these days, other than sitting on a vast pile of money made off of other people’s hard work?
They probably occasionally go swimming in their giant money pool. .... ArrZarr
They always go Deep See Diving for giant grant money pools, ArrZarr.
Titans such as develop and maintain this type of Internetional Security Program ........ Leading AI with JEDI Projects in Overall Remote Command and Total Virtualised Control.
A Veritable King Solomon's Mines of a Bonanza to Value According to Practical Ethereal Worth.
Releasing the code into the wild after having it denied is also a complete d&ck move.
Perhaps, but in context I would disagree.
If I found a bug in your product, report it, and you deny it - what should the next step be?
I see three options for the hunter:
1) Do nothing. Let the bug remain and leave everyone using it still open.
2) Release it to the wild like he did. At least people know now about it.
3) Sell it on the black market making sure that the bad guys know first.
If I release it into the wild then maybe next time someone will listen if I try to report bugs.
After all, if the bug isn't serious enough to be paid for finding it then it follows that releasing it into the wild shouldn't cause any serious problems, right?
Also, if he was only there for the potential payout he would have just sold it on the dark net. The fact that he didn't shows that he DOES care about the users - just not about the company that rejected him.
This. I've been involved in bug bounties for the past 7 years on all sorts of platforms including Bugcrowd and HackerOne. The issue that this researcher ran into is quite common, and you're always left in weird limbo land. It basically goes like this:
a) submit but, and it's classed as 'won't fix' or 'out of scope' or <insert reason>
b) you ask if you can go into public disclosure - because of various NDA's and t's and c's attached to many 'private' programs you can't...
So basically you're sitting on something which is a known vulnerability and impactful but for whatever reason they've decided it isn't an issue, but you can't release it. This is where ethics take hold and everyone has a different opinion.
Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!
"Personally I've never released vulnerabilities into the wild like this. It also means I know dozens of companies that have vulnerabilities in their products and they know it, and I know it, but that's it. It's now their problem, not mine. Spin that Karmic wheel and watch it goooo!"
An ethical dilemma? Balancing the risk of loss to possibly millions of people against the legal "fiction" of some likely overly onerous NDA that might not even be a legal document if it's untested in court?
If news about the vulnerability gets released, the company will be forced by customers (who may not "understand" that it doesn't matter) to fix it, but if he just sits on it like Valve wants, the vulnerability remains, and if he discovered it, that means it is discoverable, so eventually someone else will, if they haven't already. Keeping quiet makes sure the people who don't know they are vulnerable remain that way, while speaking out at the very least fixes the "don't know" bit, if not also the "vulnerable" bit.
Biting the hand that feeds IT © 1998–2019