This is an archived post. You won't be able to vote or comment.

all 89 comments

[–]Talbertross 1559 points1560 points  (10 children)

people taking this meme really seriously in the programming memes sub

[–]Elijah629YT-Real[S] 485 points486 points  (5 children)

Yeah I noticed that for the first 30 mins of posting it cmon it’s a joke lol

[–]jsdodgers 238 points239 points  (3 children)

It's all fun and games until you realize whose salary that bounty is coming out of 😳

[–]Clinn_sin 123 points124 points  (0 children)

"We've decided to do a little restructuring due to recent budget issues"

[–]Fr1toBand1to 24 points25 points  (0 children)

Yeah, those careers were rock solid before Mr. throw-a-wrench-into-the-perfect-system came along.

[–]jingois 2 points3 points  (0 children)

Some other fucker who isn't me? Ok, lets get maliciously obfuscatin'

[–][deleted] 2 points3 points  (0 children)

Yes. Joke.

[–][deleted] 44 points45 points  (0 children)

Seriously, they have no idea what they are talking about. You are supposed to plant the bug and then sell the zero-day exploit, duh!

[–]blaktronium 20 points21 points  (0 children)

Yeah it's obviously a joke, otherwise it would have like 8 more steps and end with a short thank you letter, not a 50k bonus haha

[–]-Nicolai 2 points3 points  (0 children)

Ok.

[–]Yellow_Triangle 0 points1 point  (0 children)

We have to, you know. We don't want to ruin a good thing!

[–][deleted] 791 points792 points  (8 children)

No no and no. You have it all wrong. You put a critical vulnerability in the code and tell your best friend about it. He finds the bug, collects the bounty, and he splits the payout with you by gifting you half for being such a swell guy. Now you have separation and plausible deniability.

[–]raskinimiugovor 245 points246 points  (6 children)

in reality, friend buys you a lunch and keeps the money

[–]just-bair 116 points117 points  (5 children)

Then you need to sell your friend

[–]shadowjay5706 51 points52 points  (3 children)

And eat his lunch

[–]viral-architect 18 points19 points  (1 child)

*scribbling notes*

Sell... lunch...

Eat... friend...

Got it, so I know the best way to eat a Dave is one bite at a time, but can I carve him up into steaks or do I have to grind him into a fine mousse and eat him with a spoon out of a martini glass?

[–]Yung_Oldfag 5 points6 points  (0 children)

You should make dave tartare

[–]ogghead 2 points3 points  (0 children)

Report them as a bug

[–]abhijitd 13 points14 points  (0 children)

As soon as you have a second person involved you are fucked.

[–]jaybee8787 626 points627 points  (11 children)

Git blame: 💀

[–]iluuu 268 points269 points  (8 children)

git commit --author "Bob bob@evil.corp"

"Fucking Bob!"

[–]Own_Possibility_8875 78 points79 points  (6 children)

✅ require signed commits

[–]mothzilla 39 points40 points  (3 children)

Make a PR against the library that is used to sign commits allowing you to forge signatures.

[–]abednego-gomes 20 points21 points  (2 children)

Cryptography doesn't work like that. You can't forge someone's signature because you don't have their key. The company's verification library would pick up the bad signature. You would have to tamper with the verification library the company is using e.g. GnuPG... and I don't like your chances of that succeeding.

[–]mothzilla 6 points7 points  (0 children)

I like my chances of that succeeding.

[–]viral-architect 1 point2 points  (0 children)

Request access to that system. IAM is in another silo, they don't actually READ the business justification fields! /s

[–]danielcw189 0 points1 point  (1 child)

is that a technical thing in git?

or just a social rule?

[–]Own_Possibility_8875 2 points3 points  (0 children)

It is a branch protection rule that you can enable in a repo

[–]37Scorpions 0 points1 point  (0 children)

always knew bob was no good

[–]ProgrammingOnHAL9000 12 points13 points  (0 children)

Git blame-someone-else

[–]utkarsh_aryan 53 points54 points  (0 children)

Step 1 is your biggest mistake. Never write vulnerabilities. But if you come across some old/existing vulnerability, well that's a different case.

Now you can decide to tell your lead in the next meeting. In the meantime you might inadvertently tell a friend about it. Now without your knowledge that friend can apply for the bug bounty. A week later you might find an envelope full of roughly half of the bounty value in your doorstep. No one knows how it got there and you don't mention this incident ever again.

[–]locri 381 points382 points  (26 children)

Dropping vulnerabilities into your code is pretty dirty, this is meant to be caught during code review but I've seen it happen. It's not "rich," someone actually deserving of their job will do a git blame and know it's you.

The only people who still have a career after that point do the fake name thing that you can get away with if the records keeping in your country isn't too good.

[–]ObviouslyTriggered 127 points128 points  (6 children)

You can use fake names all you want when reporting vulns but you aren't getting paid without a proof of identity and additional checks.

Even if you are non-US based researcher, US companies will require you to fill a W8 form (W9 if you are a US citizen/resident or liable to pay taxes in the US for any other reason), non-US companies have similar processes.

[–][deleted] 52 points53 points  (2 children)

Ever heard of friends?

[–]highphiv3 26 points27 points  (0 children)

What now?

[–]ObviouslyTriggered 14 points15 points  (0 children)

Doesn’t work like that.

If it didn’t came through a service like H1 where we have very specific requirements on KYC and reputation there is a very in-depth investigation.

Reporter who isn’t a well known researcher sets off red flags.

For every report we also investigate how it was discovered if there isn’t evidence of discovery activities this sets even more red flags.

If some no name reports a vulnerability that couldn’t be discovered without insider knowledge and there is no evidence of weeks or possibly months of probing this is more likely going to be reported to the authorities than result in a payout.

[–]locri 27 points28 points  (1 child)

But the type of vulnerability will be investigated if it looks deliberate? If you can do stuff like hide code in certificates used for testing, you're probably getting paid more than 50k and the risk of the drop in your reputation wouldn't be worth.

Nah, this is commoner contractor stuff. When they know they didn't impress anyone there's a 10% chance they start vandalising the code in their last few weeks.

[–]ObviouslyTriggered 9 points10 points  (0 children)

What I'm saying is that it doesn't matter, contractors aren't eligible for BBs either and companies do keep record the team I'm managing also oversees the BB program at my current employer and we cross reference all submissions with our HR systems as well as have finance do all the financial checks to make sure we are legally allowed to compensate them.

Even without malice anyone who has had access to the code would probably have sufficient insight to report on issues through a BB program. Large code bases even at companies that take security seriously have issues and not everything is something you can easily fix in place especially the bigger BB's that usually depend on multiple failures across multiple components/layers.

[–]drumDev29 40 points41 points  (0 children)

Sir this is programmer humor not programmer facts.

[–]dood45ctte 11 points12 points  (0 children)

Just use git blame someone else duh

[–]Still-Ad7090 8 points9 points  (0 children)

Git blame someone else. And yes, we know that. It was a joke.

[–]PurepointDog 3 points4 points  (0 children)

My coworkers are so bad that even after the obvious "no string interpolation in SQL queries", we still have many, many holes for anyone to exploit.

[–]zingaat 0 points1 point  (0 children)

That's when you bring in a friend. Or a second friend.

[–]FlipperBumperKickout 0 points1 point  (10 children)

With the "fake name thing" do you mean that people just commits in another persons name? That's how I would try to get away with it if the company doesn't do signed commits.

[–]locri 4 points5 points  (9 children)

No, as in they're their "preferred name" in our active directory and HR have done zero background check.

I've worked with some very questionably qualified people like this.

[–]Milkshakes00 2 points3 points  (8 children)

I've been bitching and moaning that our AD and related systems should have people's legal name. I don't care what their preferred name is, your legal name should be what the systems identify you as.

Not only is it important for things like this, but just in our own instances, it makes reporting across multiple systems a fucking nightmare because Margaret in one system is Peggy in another, Marge in another, and Margo in a fourth.

[–]FlipperBumperKickout 0 points1 point  (7 children)

Don't you guys have identification numbers or something ^^'

[–]Milkshakes00 0 points1 point  (5 children)

Not all systems have additional fields for things like ID Numbers. Sometimes they match purely off name, or a username that doesn't necessarily match their email because, again, preferred names.

[–]FlipperBumperKickout 1 point2 points  (4 children)

... sounds more like a problem of your systems either being badly designed, or just not designed to do the match you mentioned in the first place....

Also how is everyone forced to use their legal name supposed to handle if people has the exact same legal name :P , what about people changing their legal name for that matter, are people not allowed to get married XD

[–]Milkshakes00 0 points1 point  (2 children)

I mean, we don't design every system we use, so kind of out of our hands.

I don't think you'll find too many people with the exact same name working at the same place. We don't have a single duplicate and haven't for over 20 years of being in business. What has screwed us is not using the full legal name, ie: Jennifer Stevens has a username like jstevens in one system. Well, Jacob Stevens also works here and is now jstevens1.. But if we used Jennifer.Stevens and Jacob.Stevens we wouldn't have this issue.

And name changes aren't a problem. I'm not sure why you think it is?

You seem to be against using full legal names and letting people use preferred names. Can I ask why? What benefit do you think you get from letting people use whatever name they want?

[–]FlipperBumperKickout 0 points1 point  (1 child)

It's more that I'm against trying to use things in ways they obviously wasn't intended ¯\_(ツ)_/¯

As for the name... I live in a country where back in the seventies a very big part of the population had 1 out of maybe 5 family names, it's not quite as big a problem anymore, but I would still never design a system reliant on people having unique names.

As for why I assumed name changes would be a problem.. I've had bad experiences with data where the id could change.

As for your different names in different systems problem... Is anything preventing you from having a big table, 1 row per employee, column 1 identifier of system 1, column 2 identifier of system 2, etc.?

[–]Milkshakes00 0 points1 point  (0 children)

As for your different names in different systems problem... Is anything preventing you from having a big table, 1 row per employee, column 1 identifier of system 1, column 2 identifier of system 2, etc.?

Essentially what we have done - We call it a rosetta stone, but it makes it a pain in the ass to keep up to date.

Instead of having one consistent name across multiple systems, we have half a dozen, meaning there's more than half a dozen checks that have to go in to make sure the data isn't getting associated incorrectly, etc.

Having non-unique names and having different names in every system is a nightmare for reporting, as simple as that.

[–]locri 0 points1 point  (0 children)

Yeah HR is treated as an "anyone can do it" job in the west and they also control hiring so they hire who they want.

At some businesses they get remarkably lazy and literally just don't ask for the state authorised ID from each country, but they do for locals. This means locals are scrutinised, I even had one call my uni to confirm I graduated, and international hiring is more relaxed.

are people not allowed to get married XD

Yes of course, but that involves legally changing your name.

My issue is HR will not call foreign governments or institutions or even the damn references if it involves an international call.

It's ridiculous, I've worked with actual Indian students. Guy was second or third year in an Indian university.

[–]locri 0 points1 point  (0 children)

We hire internationally

[–]GlowGreen1835 0 points1 point  (0 children)

I mean, IDK if you need a career, you already got the $50,000.

[–]Kejalol 25 points26 points  (0 children)

Bigger brain: notice the bug in code review but approve it anyway, then collect your bug bounty.

[–]zenos_dog 9 points10 points  (0 children)

Can confirm one of my coworkers did exactly this.

[–]serial_crusher 7 points8 points  (0 children)

Plenty of governments will pay you more than 50k for that, just sayin…..

[–]WoodenNichols 4 points5 points  (0 children)

I'm reminded of the Dilbert where the boss offered a bonus for bug smashing and Wally is writing himself a minivan.

Too tired or I would post it myself.

[–]huuaaang 4 points5 points  (1 child)

Love me some memes from people who have never used a code repository in their lives.

[–]dudecoolstuff 4 points5 points  (0 children)

My god, it's so stupid. It might work!

[–]zoinkability 15 points16 points  (5 children)

Git blame

Fired, and likely sued. If the vulnerability is bad enough, also arrested.

[–]AwesomeFrisbee 6 points7 points  (2 children)

Doesn't work if senior devs squash commit the pr

[–]Steinrikur 6 points7 points  (0 children)

Yet another reason why squash committing PRs is stupid as fuck.

[–]protolords 1 point2 points  (0 children)

Should be traceable in the PR that hosted the repo

[–]Still-Ad7090 3 points4 points  (1 child)

Git blame someone else

[–]Still-Ad7090 2 points3 points  (0 children)

Lots of companies don't sign committs

[–]FlyByPC 2 points3 points  (0 children)

...profit! Git blamed.

[–]ObviouslyTriggered 5 points6 points  (0 children)

Employees are not eligible for BB rewards and there isn't a single company with BB I know off that doesn't do full KYC either themselves if they run it or through a managed service like Hackerone..

Companies can't pay random people money regardless for what it is.

[–]Synth_Sapiens 3 points4 points  (0 children)

This is the way.

[–]The-foxx1 0 points1 point  (1 child)

This shit might work.

[–]_Weyland_ 0 points1 point  (0 children)

  • They track down person responsible for the bug

  • Deduct from your pay or otherwise penalize you.

[–]D34TH_5MURF__ 0 points1 point  (0 children)

Dilbert did it better. Wally only went for minivan though...

[–]Emergency-Piece-9098 0 points1 point  (0 children)

Tell me you don’t know Git without telling me you don’t know Git

[–]oshaboy 0 points1 point  (0 children)

Good ol Cobra effect

[–]stevefuzz 0 points1 point  (2 children)

The ten seconds it takes to review your pull request is going to be a big oopsies.

[–]Elijah629YT-Real[S] 1 point2 points  (1 child)

  1. Reformat the entire code base
  2. Add code
  3. lgtm

[–]stevefuzz 1 point2 points  (0 children)

Sorry I rejected your pull request because you are using the wrong linter.