RE: Zero Day Vulnerability

Now that's unfortunate and interesting. I read through the article and the comments, too. I think his work is awesome and am very impressed by it, given that I have not much of a clue, of course. But I'll try to keep it neutral in this comment:

First - worst possible communication if that mail is true like that or even in the ballpark. The people in charge of communication really have to up their game, not the first time it's an issue.

Second, numbers. a) The value of his work hours. Knowing the value of the work does help, though, to find a fair number. But it seems like he's German, so the €/h in German should be used. But what if someone in Ecuador finds the bug? Or another low wage country? Ir a super high wage country? I don't think this is a good approach.

b) Calculating as a full time job is not applicable as he was never hired to do so. It seems to be a hobby, and he's getting financed from other Hive-platforms to use a high end AI to do just that. He did a few great reports on that. So, basically, it's a quid-pro-quo situation. He gets access to an awesome tool and in exchange he helps platforms to fix their security issues.

c) I'd rather go from the potential risk of the issue, how much could've been stolen, and hence how much damage it prevented in the future. Which I can't estimate without numbers.

d) As mentioned in the comments under his post, the bounty should be according to the means of the platform. The DAO funds are not endless, but limited to 5k. If they have 5k, spending all of that for one bug (no matter how big) doesn't leave anything for other vulnerabilities. If we go from the budget, I'd say 20% is fine, 1000$. That gives the DAO enough wiggle room to finance 4 other big vulnerabilities and sends a good signal to other White-Hatters, which is important too. Hopefully unnecessary, but who knows.

Third, compromise. The DAO could buy him a month of that Anthropic Hacker thing that seattlea mentioned, and ask him to find more vulnerabilities so they can learn from them and avoid that kind of code in the future. If that's possible.

Fourth, the DAO could establish a small fund for White Hatters. Those who put in the work, of course, not those who send those screenshot e-mails that Louis mentions. Set some rules, a pathway of how to determine the value of vulnerabilities, and so on.

So, in essence: $1000 for a mayor vulnerability that could've cost the company dearly. If communication was really that rude, an apology is in order, too. And maybe the offer to finance a month of a great AI to find more weaknesses.