在 2012 年 Bloomberg 在 Facebook 的“白帽黑客”漏洞赏金项目页面发过一篇著名的文章,文中说:“如果有人发现价值百万的漏洞,我们愿意予以相当金额的奖励。” 然后有个人发现了 facebook 的一个安全漏洞: https://exfiltrated.com/research-Instagram-RCE.php
大概是说可以通过漏洞最终可以拿到 instagram 的服务器的账户权限,也可以拿到几乎所有用户的照片。很明显,这个漏洞确实价值百万美金,但是 facebook 以这个漏洞有人报告过为由,最后只愿意支付 2500 美金。
来自官方的对这件事情的解释:
https://www.facebook.com/notes/alex-stamos/bug-bounty-ethics/10153799951452929
在评论中有人分析到:
So "someone" reported an RCE vulnerability, one that could give access to private keys, aws keys (seriously, its 2015. IAM roles.) and probably more. And so you only paid this new reporter $2500 because it had already been reported. So basically, you were notified of a critical RCE and didn't fix it for long enough for at LEAST one other reporter to find it? That's the official story you want to go on record with? Seriously?
说实话我同意他的看法,不可能这么大的漏洞被人报告过没有修复。大家怎么看?