Reply to post: Re: I fixed $100 mil Amazon bug and all I got was this t-shirt.

AWS launches BugBust contest: Help fix a $100m problem for a $12 tshirt

Anonymous Coward
Anonymous Coward

Re: I fixed $100 mil Amazon bug and all I got was this t-shirt.

Yeah, this scheme is really pathetic.

Many organizations don't pay bounties. I understand that. But if you have the resources of Amazon and you're going to make a big public announcement...

When we first got our PSIRT into shape and began dealing with outside researchers in a consistent manner, we (the PSIRT members) asked for budget for a modest bounty program, and were turned down. Oh, well, I understand that; it's an unknown exposure, and legally complicated, and there are other issues (as Moussouris has discussed at length).

But we always gave credit, in the form requested by the submitter, in the public fix announcement. And we were able to wrangle a little money for a t-shirt program. The t-shirts were personalized – they had the company logo and something about security on the front, and the CVE(s) for the bug(s) submitted by the recipient on the back. So at least the researchers had public acknowledgement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021