Dear Lifehacker, If someone reported and helped you fix a critical security flaw in your website that could be exploited by hackers to do evil stuff and potentially harm your customers, would they be rewarded? I’ve been wondering about this for a while. Thanks, Speak No Evil
Lock picture from Shutterstock
Dear SNE,
It’s always nice to acknowledge when someone has done you a good turn, and that acknowledgement might extend to a thank you gift of some sort. Whether that’s appropriate depends on the degree of severity. If the problem is a complex one and your informant has helped with implementing the fix, then you might consider giving them a reward. If all that has happened is that you have been notified of a well-known flaw in a common software package that can be fixed by upgrading to a newer version, then the thanks are more likely to be on a “I’ll buy you a beer” level.
There are parallels here with what happens in software development. Companies will usually acknowledge researchers who have identified flaws in their software, and may sometimes offer a monetary reward. However, that’s often contingent on not publicising the existence of the flaw before there has been an opportunity to fix it. Finding flaws is helpful; screaming about them from the rooftops and altering the ill-intentioned to them is not.
Cheers
Lifehacker
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.
Comments
6 responses to “Ask LH: Should People Who Find Security Flaws On Your Site Be Rewarded?”
With big sites yes. It saves the company money if the vulnerabilities are exploited. Think of it like an insurance policy.
Actually, yesterday there was a big story about a 17 year old who has been denied a payout by paypal even though he found a huge bug on their website.
Reading the original question, I think “Speak No Evil” was actually asking Lifehacker if they would give out a reward.
I’ve found that they usually don’t even acknowledge it, let alone thank you or reward you.
I’m looking at you Citibank.
yes. or at the very least a thank you.
They should, but some people have actually gotten in trouble for trying to help certain parties with security
http://www.smh.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how–770000-accounts-could-be-ripped-off-20111018-1lvx1.html
Only because someone else hacked the website and they thought it was him. The company should be fined or sued for handing out personal information of 700000+ people publicly and for not having secure systems. Changing a URL to reveal private information is not hacking.
With my web host, I found my site was accessible on the IP address hostname. Changing the number, I found other customers sites, and because one guy hosts the websites in folders, he had a backup folder that could download his entire site and database, all unencrypted. I informed the site owner 20 + days ago, haven’t heard back, so I have informed the host about it now.
Manage your employees working hours by the automated employee time clock software system. No need to fill out and check attendance sheets and no hassle of employee time theft. http://timemanagementsoftwaresystem.weebly.com/
Have you ever analyzed that how much your business can take financial benefits from biometric enabled time and attendance clocks? http://george-smith27.livejournal.com/608.html