Wednesday, May 7, 2014

SPC 2014 - Bounty

Charlie Miller got me thinking about software bug bounty programs.  Are they good?  Are they bad?  Hard to say.


I found myself a little bug.
It's in your favorite app.
It makes me feel a little smug.
It'll put me on the map.

I spent a year on Mountain Dew
While plowing through some code.
I fuzzed and fuzzed, just like you do
To find a weakly node.

So after months of grinding hard,
I thought I would cash in.
I finally played my final card
The money filled my bin.

For months I longed to hear the tale
Of how the app was lacking.
But the buyer seemed to cop a fail
and others started hacking.

It was my bug that broke the app,
But someone else had found it.
They used it like a leaky tap
To hack some more, confound it!

If I had let more people know,
They may have fixed it early.
Instead I chose to make some dough,
And now I'm feeling surly.

Yes, I spent a lot of time
And did a lot of work.
But did I help commit a crime
By acting like a merc?

No comments:

Post a Comment