RE: Zero Day Vulnerability
You are viewing a single comment's thread:
As I mentioned in DM when we chatted, I think this should have been handled far better and perhaps it is a good learning experience for everyone going forward that some kind of process is required. Having said that, can't go back in time and change things.
@seattlea ballparked some hours and an hourly rate at say $100 for 20h is 2000, but if he did spend that time (I don't believe it took that long) there was no guarantee of that pay, ,so if he found nothing, he would get nothing. So perhaps a 50% bonus on top for finding, so $3000 for the work plus the bonus.
And then having said this, it should be handled well behind the scenes and then transparently after settled, so that other people know there is an opportunity to earn a bounty. If there is no opportunity for a bounty, then Splinterlands would have lost 100% of what could have been taken and perhaps if it was someone else instead of @louis88, they would have. And remember that now, there will be others using AI to surface vulnerabilities and exploit them, with no intention of getting the bounty.
Trouble is he did found the vulnerability and did exploit it to prove that it can be done.
Knowing that, what would be a fair value that he can ask, and we can pay. Provided if we want to pay.
Exploiting it as proof of concept isn't the problem. Did he then ransom it? If so, that isn't really white hat, it is racketeering or something. :)
This is where it gets Grey.
Did he or did he not.
He did return the tokens. But he did so under threat. So I don't know how to classify it. So I am asking...
Here people go to jail for something like that or much less...
So I don't really know...
IMHO, you must pay Louis, as taraz said people should know there is a bounty that would be paid in case they found a vulnerability and report it.
The best course of action in this scenario could be to fix a amount that should be paid to Louis and for the future efforts made by anyone in this regard. As Louis returns the amount after being threatened, you can cut out a penalty amount from that total. This penalty amount could be fixed too for future, as well.