Hacker News new | past | comments | ask | show | jobs | submit login

How then do we assess the extent of the vulnerability?

As Wes proved, a simple looking RCE can lead to a huge breach of security due to failures in other areas.

I agree that limits must be established, but also, these must not end research so abruptly as they can lead to further information.

One might argue this is unethical, but a black hat doesn't care either way.




> How then do we assess the extent of the vulnerability?

It's already a critical vulnerability. Unless you want to assign numbers to the infinity, which is ridiculous.


Yet we know not all critical vulnerabilities are created equal.

That's why some get a 10k payout and others get a 2.5k.


This is assessed based on how hard it was to elevate your access rights (whether it requires physical access, user cooperation, etc.), not on how much damage you can do - because once you elevated your rights the possible damage is unlimited.


Except in that case, he unearthed another completely unrelated vuln.

I agree that some actions are u ethical, but does that really matter so much when a black hat is unethical anyways? The fact that he reported meant he was harbored no malicious intent.

How is collecting logins better than that? Seriously? This is completely malicious if you ask me.

Moreover, we must not judge each case strictly to the same rule, but with a measure of consideration of the circumstances as well.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: