Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One time I was working on a MapReduce that processed a lot of XML found on the internet (I can't remember why anymore (edit: I remember now why I can't remember, it was a friend's program that I was helping out on)) and I found it crashing on some input. After some examination of my code I traced it to a bug in libxml (which is also used by Chrome, Safari, and others). I simply reported the bug to the appropriate parties and it got fixed. It's funny to think that the author of that bogus xml file had gotten the syntax wrong enough in a way that would've been worth thousands of dollars!


It's worth noting that not every bug is a security-critical bug. Similarly, not every crash is a security-critical crash.

Sometimes you can exploit a bug to give you something, sometimes it's just a plain old bug.

People only pay for the security-critical ones.


There was a recent article about using random generated programs to crash different C compilers. Then they automatically reduce the size of the programs to make them readable. Some corner cases are difficult to find thinking, and their approach was to find them by brute force.

"57 Small Programs that Crash Compilers" http://blog.regehr.org/archives/696 (14 comments) http://news.ycombinator.com/item?id=3794934


A bug is sometimes just a bug. To be valuable, it has to lead to a vulnerability and ideally to privilege escalation. If it simply crashes the application without the ability to control further program execution, it's useless.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: