Software security courtesy of child labor

We couldn’t help but poke a little fun in the headline. This is [Alex Miller], a twelve year old who claimed a $3000 bounty from Mozilla. See, [Alex] is a self-taught security guru. When Mozilla upped the reward for discovering and reporting critical security flaws in their software he went to work searching for one. He estimates that he spent an hour and a half a day for ten days to find the hole. Fifteen hours of work for $3000? That’s pretty good!

Is it good or bad to pay for these kind of submissions? The real question: Is the bounty high enough to get blackhats to report vulnerabilities, rather than selling software that exploits them? Let us know what you think in the comments.

[via Zero Day]

Comments

  1. biozz says:

    god damn i thought i started young XD

    he is second only to zero-cool XP

  2. Gdogg says:

    1st. I’m jealous. I wish I was that technically adept now, let alone at 12.
    2nd. Yeah, I think it’s great to encourage people to share this kind of stuff. I know I personally would put more work into it if I knew there was more than e-fame in reporting in big flaws.

  3. Junglizer says:

    I think, at the minimum it may provide incentive to those that have the skills to improve software but normally wouldn’t be bothered. If I had any clue what I was doing, the monetary incentive would increase my chances of spending time to fix this stuff.

  4. Aaron says:

    Three grand doesn’t strike me as being near enough to make reporting a fresh 0-day vuln worth a black hat’s while; if being a black hat didn’t pay a living wage (i.e., a lot more than any measly three grand), it wouldn’t be such a big industry in the first place.

  5. fluidic says:

    Shouldn’t have any trouble getting into that competitive CS department now…

  6. Denial says:

    At least he doesn’t sing…

  7. mess_maker says:

    Good for him, he should be proud. I wonder how this will shape his future? It would be interesting to see what he is doing 15 years from now.

  8. BobSmith says:

    It doesn’t make [sense] to put random things like [names] in [brackets]. Please [stop] raping [English punctuation].

    • Caleb Kraft says:

      @BobSmith,
      Often, people go by usernames/nicknames on the web. This can cause a lot of confusion, especially when their name is a technical term, or just plain gibberish. Putting their name in brackets identifies it as their name. We’ve always done it and plan to continue. We are, however, aware that we may not have the best grammar. We’re trying to improve this.

  9. It’s a tradition from when we used to force no-caps. I also like it because it lets me instantly distinguish who is responsible for the hack.

  10. biozz says:

    @BobSmith
    what are you talking about?

  11. Eric Seifert says:

    @Aaron, $3000 is a living wage in a lot of the world (China, India etc…) I would say $3000 is pretty decent, and that’s for only one exploit.

  12. johnmc says:

    Great for the young man! Hope he goes far.

    Can I recommend a change of the title? American jurisprudence the way it is these days, it would not surprise me to see some child protective services freak out and go all roman on this.

  13. Taylor Alexander says:

    If he found just one exploit a month, and got $3k for each one, it would be an okay wage. Not as much as he’d make as a programmer, but possibly much less demanding – he wouldn’t have to report to work at a given time, etc.

    Either way, I certainly think these things are fair to pay for. Some people might want more money and they might sell to the black market, but for all the good people out there who aren’t in it for the money, $3k is enough to justify giving it up to the good guys. Sure, they could be a bad person and make more money, but there are plenty of people out there who don’t work that way, unless its lots of money.
    -Taylor

  14. Gert says:

    They ought to support that kid more. Give him a scholarship. He sure has got some talent.

  15. IceBrain says:

    @Taylor Alexander:

    Programmers might get paid more for month, but they don’t work 15 hours/month either. He got $200/hour, that’s a high salary even for a programmer.

    If he wasn’t 12, it’d be a nice job complement.

  16. Dex says:

    You call this child labor, better if you don’t know what even younger childrens have to do just to make this amount of money in a year in India.

    Exploit development and bug hunting doesn’t paying of that well. Those who were selling exploits are probably know this already. You can get more money with normal coding job. Also this kind of work require special thinking, not everyone has the ability to be good at it. Let the few -who are- make money this way.

    BTW I have no idea whats this article doing on had…

  17. andrew says:

    Microeconomics would suggest that as supply (of working exploits) decreases, the price people (bad guys) are willing to pay should increase. Although, if some exploits are harder to find than others, then we would expect rewards like these to result in discovery of the low-hanging fruit, so to speak.

    So, if you’re a bad guy and you want to buy an exploit, the remaining ones are going to be more expensive because 1) there will be fewer blackhats to buy them from and 2) they will require more time and/or skill to identify. As a result, the system itself might guarantee that not all the possible exploits are identified because the cost to identify them increases as more exploits are identified.

    If rewards like this didn’t exist, then blackhats would have a greater supply of exploits because presumably it would take longer for software firms to close holes they are not aware of. Greater supply exists because blackhats could keep selling the same exploits over and over again.

  18. DanAdamKOF says:

    @Daniel
    I LOL’d.

  19. Brian says:

    Usually these little nerds look like little *fill in word here*, but i applaud this guy for not looking like a *same word* justin bieber and for doing good work haha

  20. Chiablo says:

    I think that more important than the $3000 bounty is the recognition he received for potential university recruiters or job headhunters. This is definitely portfolio worthy if he decides to get into the security or IT field.

  21. jeditalian says:

    i never knew anybody paid at all for bug reports. i thought they were free, just pointing out “hey fix this” that is awesome, a lucky kid, and do you think he put the money in savings for his future or built a six-core desktop?
    no more anonymous bug reporting from me!

  22. Zaphod says:

    There are even companies that pay you for finding bugs and make money by selling the knowledge to the company that makes the software. The problem is, on the black market one can achieve a price that is ten times higher.

  23. Adam says:

    @jeditalian;

    Mozilla only pays for dangerous exploits (remote code exec) found, so does Google for Chrome.

  24. Okay, so the basics. How to make money finding vulns:
    1) Be a blackhat. Find a vuln, exploit it to steal peoples’ WoW gold, sell it back to them for real money, etc. (Or sell it to someone who will steal the WoW gold.)
    2) Sell to 3rd parties. There exist agencies in every major government, and also commercial companies, that buy vulnerabilities. They pay good money for vulns. This is probably the sweet spot, since you make decent dough, and you don’t have to go to jail (unless you sell them to the wrong government).
    3) Sell to 1st parties, what this kid did. This doesn’t make you much money. With most vendors, you’re lucky if they even thank you. However, you get exposure, and it’s sometimes (e.g. with Mozilla) less hassle than selling to a 3rd party. If you want an “in” in the security industry, this is a good way to make a name for yourself.

    The people that the 1st-party bounties attract are the people who want exposure. Mozilla probably will not compete with idefense, and certainly not with some shadowy TLA. However, white hats are more likely to look for vulns is a product whose vendor appreciates their work (Mozilla) than one who may try to sue them (Apple). It is extremely unlikely that $3k will sway a blackhat, but it is likely to sway whitehats.

  25. Cedric says:

    In four years he will have the same exact hair cut than Justin bieber …

  26. Maave says:

    I feel very inferior now. Thanks a lot.

  27. jeditalian says:

    pretty sure you’d find more vulnerabilities in chrome, plus Google is über wealthy. sometimes i feel that i could do more when i was 12 than i can do now. i can hardly remember HTML but back then, i was proficient.

  28. herpaderpderp says:

    Kinda jealous. Finding a javascript bug isn’t that big but still for a 12 year old pretty cool. Maybe he just “fell” over it and that’ll be his one and only bugreport (though he seem’s to know his stuff, when i look at the report) but let’s see what the future of this kid brings.

  29. bob says:

    Like the photo’. Carefully arranged.

  30. Dude says:

    This is it: https://bugzilla.mozilla.org/attachment.cgi?id=461339
    nothing to see folks, move on. Textbok example.

  31. NFN_NLN says:
  32. jbot says:

    @Dude: maybe I should pay attention to what links I click from here on out… *dons dunce cap*

  33. D_ says:

    First way to go Alex. Hope Alex Keeps a level head, and is aware that the next payday may not come so easily, in so little time. s Alex should be advised to diversify, as not to put all his eggs in one basket.

    Such awards are a wise investment if than convince current users or potential users open source software is secure. A need to make too many such awards, would have the reverse result, and may curb the donations coming in the front door that make these awards possible..

    There is not a thing wrong with the post title. Concern about child protective services, in the manner it was brought up, has to be some more pre-election fear mongering, we just can’t get away from.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,545 other followers