Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It pisses me off that for something of this magnitude this guy will probably only be paid no more than a couple thousand dollars, if at all. He still has no response.


DR Congo is one of the poorest countries in the world. GDP/cap is $457 a year. If he does get a few thousand that is more than one worker earns in 10 years. https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(nomi...


Understandable stance, but the damage he was capable of causing was probably millions of dollars worth. So yeah, a few thousand bucks as a thank you is reasonable.


> the damage he was capable of causing was probably millions of dollars

That applies to most of us.

It also doesn’t change the fact that there is very little money available in the DRC.


What on earth does that have to do with anything here? I probably make more as a software developer than some Americans make in 10 years.


This was good work.

The DRC has a lot of problems (to say the least) at the moment and has had for a while and this is pretty low priority in their scheme of things. Countries with weird residual TLDs for non-sovereign territory (e.g. .as or .ac) surely pay more attention to these trivial domains than anyone in the DRC can.

Which is all to say the amount of effort expended on any task, or the amount of knowledge brought to bear on a task, is only sometimes correlated with its value. Ever worked hard on a company that failed?

I felt I needed to put the first line in because my comment on your question could have been misinterpreted as criticism of the hacker.


I work for a few a cities in Europe, and happen to know one of the cities had a site with an sql injection issue. An external person found and let the city know but didn't want to reveal the specifics before getting money. The city has no bounty program and for some people in the City it came across as if the guy was distorting them. The guy probably felt like he didn't get money for his work. Probably both have a point. In the end it got resolved.


The guy has no reason to expect a reward if the city has no bug bounty program. They could just sue him.


What are their damages? He's not required to disclose their security vulnerabilities to them. It's his work not theirs.


I think lovasoa is pointing out what could happen in real-life, not 'what should happen morally/ethically/etc'.


if he was smart, then he said nothing that sounds like blackmail. but you could say, for example, that I have to settle the expense of reproducing it and writing it down properly or something similar.


sue him for what? Discovering an exploit without disclosing the details?


It depends on the country, but in France for instance, there is a maximum sentence of one year in prison and a 15000€ fine just for "fraudulently accessing a data processing system", or trying to do so even if you don't succeed.


And they'll prove that without knowing what the exploit is?


  s/distort/extort/


Yes right. Apologies.


It may not directly pay but his reputation as Security Expert is enhanced.

I don't know if "Big Internet" (ICANN, IANA, IETF, RIRs) does not have its own security group like the Commercial companies do (Project Zero, various EH companies). RFC3013???

We have to depend on people who can take time to look for exploits in exchange for reputation.


Getting paid in exposure is not getting paid.


It seems more likely that the OP even lost money buying a useless domain name that no one will pay for. Most probably not even a "Thank You" they will give.


Why should he get anything at all? Does every "ethical hacker" need to hold his hand out for a reward? (Doesn't seem as ethical, then, does it?)


If rich countries and private charities were serious about foreign aid, they'd consider helping fund things like this.


Paying developers outside the DRC? I’d imagine that most who wanted to help would prefer something more direct.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: