This post has been supported by @Splinterboost with a 30% upvote! Delagate HP to Splinterboost to Earn Daily HIVE rewards for supporting the @Splinterlands community!

Delegate HP | Join Discord

Interesting... Anthropic Mythos was deemed too dangerous to release to public because it easily hacks every single system on the planet...

So we can basically point AI now at a target and it will find you vulnerabilities...

If I read his post; he indicated that he used AI tools to find the vulnerability.

You are in the business and a professional: how much do you say a fair price for this?

Yeah... I am not in the security field and I don't know what is a fair price for this. Obviously he did some work and probably in the range of 4 to 20 hours without seeing the report and being an expert on the white hat stuff.

It sounds like he was insulted by $10 and CEO response. Given that DAO is not rich and we don't know how much time he spent a fair negotiation starting point would be $1,000 to $2,000

That is a good ballpark number to start with. I respect your opinion because you work at Microsoft. Most of the people here don't have the proper context.

Even if you had to write a proposal I would support it. It getting even easier for people to find these vulnerabilities using AI. It takes literally zero skill to find a flaw and create and deploy a payload or exploit.

So my question is how much is it worth ;)

According to Google, a good pen test is a two to three week process. Costs vary based on region, but I think that $1000 per week for say three weeks would be reasonable. If I knew what I was doing I'd do the job for that amount.

Ok. So $3000. Thank you.

Of course!

Thanks for your devotion to transparency, @azircon

No problem Matt. I just don't want to get us into legal trouble. I just want to make sure if someone sues me I have my bases covered and if I want to sue someone I can grab that person by the balls :)

hard to say , if you lose your wallet and someone finds it and returns it , in a lot of places it's normal to give a finders fee of 10%.

I have no clue of the amount of values there is in splinterlands but i guess 10% would be to much to pay in this case .

you didn't lose your wallet yet , but he pointed out that it could happen .

Yes, didn't lose the wallet yet ;)

Thanks for the transparency, I really appreciate that. I was already reading about it on Discord yesterday.

Personally, I do think it’s fair to pay some sort of amount, though I honestly can’t put a price on it. If wallets were potentially at risk, that alone is already worth something.

I even think situations like this can be handled without going through a full proposal process, simply to be able to act fast together with the treasury. I trust them to make solid decisions, but only if we keep the transparency. Don’t solve everything purely in Discord where only a limited group will read about it.

In cases like this, “better to ask for forgiveness than permission” might actually apply.

And regarding the vulnerability itself, I think we should be thankful someone reported it without bad intentions. Again, what price do you put on that?

Chatgpt:
Honestly, in the crypto space, a zero-day vulnerability for a DAO could easily be worth anywhere from a few hundred to thousand dollars to more, depending on the impact and exploitability. Preventing a serious exploit could literally save the treasury.

Thanks for the reply. But from someone like you I was really hoping for a personal opinion and NOT a chat GPT prompt response because I can do that :)

Now please give me your personal opinion on a $amount

Let’s break it down.

A self-employed professional charging around $100/hour who spent several days working on the report, communicating with Splinterlands, and following up based on his previous post would probably land somewhere around $2,500 in value (if the actual discovery was a potential big risk). That seems like a fair estimate to me.

The bigger question is: has he actually asked for anything yet? Is there even an open price discussion, or is he making demands?

Thank you! Now this is the answer I was hoping for.

He sort of thrown various numbers but nothing officially so I am not disclosing it. Also if I disclose how can I independently ask for a fair value to other professionals like you?

My understanding is, that the DAO never offered a bounty to begin with. There was no agreement beforehand and I read somewhere that originally the guy wanted to keep 25% as a finders fee. In my opinion it was a service not requested and I don't see any obligation for the DAO to pay anything.

If he did it out of the goodness of his heart, then great and many thanks, but without an official bounty set beforehand I don't see a reason to reward the theft, just because the money was given back. Now if the DAO wants to set an official bounty for the future I would argue that said bounty can be paid retroactively to the guy, otherwise a proper thank you, not the terrible answer originally given, would be in order, but that is about it.

Back in the days "white-hats" just left a note how to fix the vulnerability and request a job interview.

> that the DAO never offered a bounty to begin with

Correct. This is simply because any such thing never happened before.

> There was no agreement beforehand

Correct. That is why this post is written

> Back in the days "white-hats" just left a note how to fix the vulnerability and request a job interview.

Thank you for your input, much appreciated

The thing Luis found is IP-address leak through externally loaded content. A guild/tournament/profile page allows user-controlled external images or embeds. Anyone viewing the page leaks their IP to the host of that image.
So this is why content has to be approved before publishing it to SPL, the recent change. Paying 5k for it is nonsense if you ask me. And the fact that you can agree and pay put 5k without ask is terrifying xD ok maybe it's peanuts for you. Anyhow i would reward Luis with 1k as finders fee

Question is, why Sylar didnt find it? Isn't this a part of his job? What do you do in team @sylar1 ? @sylar? If you still are in. Do you think 5k is adequate for this?

Word on the street is that there is more to it. There is an additional vulnerability related to Validators, and that is the item the bounty is about.

Feel free to ask Louis about it.

> Paying 5k for it is nonsense

Appreciate the comment.

Ok, could be. If thats the case then bounty can be higher. Im not so up to speed. But one would guess they do some pen tests. It's always better to fix it before it's too late. Question remains, where is our security officer in all of this

Valid question. Obviously I am not the person to answer it.

Question stands.

As I mentioned in DM when we chatted, I think this should have been handled far better and perhaps it is a good learning experience for everyone going forward that some kind of process is required. Having said that, can't go back in time and change things.

@seattlea ballparked some hours and an hourly rate at say $100 for 20h is 2000, but if he did spend that time (I don't believe it took that long) there was no guarantee of that pay, ,so if he found nothing, he would get nothing. So perhaps a 50% bonus on top for finding, so $3000 for the work plus the bonus.

And then having said this, it should be handled well behind the scenes and then transparently after settled, so that other people know there is an opportunity to earn a bounty. If there is no opportunity for a bounty, then Splinterlands would have lost 100% of what could have been taken and perhaps if it was someone else instead of @louis88, they would have. And remember that now, there will be others using AI to surface vulnerabilities and exploit them, with no intention of getting the bounty.

Trouble is he did found the vulnerability and did exploit it to prove that it can be done.

Knowing that, what would be a fair value that he can ask, and we can pay. Provided if we want to pay.

Exploiting it as proof of concept isn't the problem. Did he then ransom it? If so, that isn't really white hat, it is racketeering or something. :)

This is where it gets Grey.

Did he or did he not.

He did return the tokens. But he did so under threat. So I don't know how to classify it. So I am asking...

Here people go to jail for something like that or much less...

So I don't really know...

IMHO, you must pay Louis, as taraz said people should know there is a bounty that would be paid in case they found a vulnerability and report it.

The best course of action in this scenario could be to fix a amount that should be paid to Louis and for the future efforts made by anyone in this regard. As Louis returns the amount after being threatened, you can cut out a penalty amount from that total. This penalty amount could be fixed too for future, as well.

Not all of the users on Hive are aware of all of the things, so someone has to write something on some burning issues. A well researched topic by anyone should be welcomed.

You have written about and explained Zero Day Vulnerability in such good way that it is hard to say you are other than an expert on the topic.

IMHO, Louis must be paid, at the least, a reasonable percentage what his efforts have saved.

Now that's unfortunate and interesting. I read through the article and the comments, too. I think his work is awesome and am very impressed by it, given that I have not much of a clue, of course. But I'll try to keep it neutral in this comment:

First - worst possible communication if that mail is true like that or even in the ballpark. The people in charge of communication really have to up their game, not the first time it's an issue.

Second, numbers. a) The value of his work hours. Knowing the value of the work does help, though, to find a fair number. But it seems like he's German, so the €/h in German should be used. But what if someone in Ecuador finds the bug? Or another low wage country? Ir a super high wage country? I don't think this is a good approach.

b) Calculating as a full time job is not applicable as he was never hired to do so. It seems to be a hobby, and he's getting financed from other Hive-platforms to use a high end AI to do just that. He did a few great reports on that. So, basically, it's a quid-pro-quo situation. He gets access to an awesome tool and in exchange he helps platforms to fix their security issues.

c) I'd rather go from the potential risk of the issue, how much could've been stolen, and hence how much damage it prevented in the future. Which I can't estimate without numbers.

d) As mentioned in the comments under his post, the bounty should be according to the means of the platform. The DAO funds are not endless, but limited to 5k. If they have 5k, spending all of that for one bug (no matter how big) doesn't leave anything for other vulnerabilities. If we go from the budget, I'd say 20% is fine, 1000$. That gives the DAO enough wiggle room to finance 4 other big vulnerabilities and sends a good signal to other White-Hatters, which is important too. Hopefully unnecessary, but who knows.

Third, compromise. The DAO could buy him a month of that Anthropic Hacker thing that seattlea mentioned, and ask him to find more vulnerabilities so they can learn from them and avoid that kind of code in the future. If that's possible.

Fourth, the DAO could establish a small fund for White Hatters. Those who put in the work, of course, not those who send those screenshot e-mails that Louis mentions. Set some rules, a pathway of how to determine the value of vulnerabilities, and so on.

So, in essence: $1000 for a mayor vulnerability that could've cost the company dearly. If communication was really that rude, an apology is in order, too. And maybe the offer to finance a month of a great AI to find more weaknesses.

There will be a proposal so you will get to ask these questions to Louis in gory detail :)

I already DV the pre-proposal for lack of information. Can't assess the situation like that. Again, communication...

I would have preferred to see a proposal to set up a bug bounty program and pay him via that. Then we have one vote and are sorted for the future.

Also, who is in charge of writing the code and hence responsible for not finding the bug? They should be involved in some way, too. They're getting paid to do a save job, but they didn't, and now someone else is being paid for finding the flaws in their work.

We are responsible for writing the code. Meaning DAO pays the salaries for the devs.

Wouldn't that mean the devs are responsible for the code?

Yes they are.

So,?

Will they contribute in any way to the bounty? It was their mistake, and I think they should be held accountable to at least some extend.

If your employees burn a bread, do they get a salary cut?

One small one? Probably not, just a serious reminder to be more careful with company resources. The whole round of baking, like 50 loaves at once? Yes, of course. They weren't doing their job attentively, which is what I pay them for, but were negligent.

@clayboyn and @davemccoy look at this tough boss!

And you guys say I am the bad guy! :) :)

Nothing bad about that. Just fair. I don't pay over-average wages for them to literally burn my capital. I gladly pay more for a over-average work and outcome, but not for mediocre outcome.

I'm right now doing a consultancy at a company that did just that. They paid and didn't care about the quality. They're basically bankrupt because their product quality went down because nobody cared about it, everyone got paid anyway. I'm all for fair payment, but fair is a balance, not a one-sided extreme.

I could write a whole rage post about that. Going to breath now.

Just my point of view:
- I am highly in favor of having a big bounty program. Having the freedom to reward up to 5k without a proposal is something I think is great (I would be in favor of allocating 20k with max single transaction of 5k without a proposal)

• I think that if this program was in place when the issue got noticed, it would had been rewarded.

• Reading up the comments - “initially demanding money in order to return the remaining funds” this changes everything for me. Where I understand his motives and frustration (especially with the $10 offer). This is not the way, and I also don't think it should ultimately be rewarded in this manner. (I think he is crossing the line here and taking the risk of being sued himself).

Overall:
- yes, setup the bug bounty program. Future work for Louis should be rewarded. This mention is not up for reward from the program due to (crossing) the thin line towards blackmail.

Mostly agree.

Trouble is currently we have no such program

bilpcoin #bpc exposed #buildawhalescam #buildawhalefarm #themarkymarkscam #themarkymarkfarm #hurtlockerscam #hurtlockerfarm #acidyoscam #acidyofarm #jacobtothescam #hivepopescam

@jacobtothe The ledger doesn't lie, and neither do we. We've already exposed the interconnected web of your friends—the numbered wallets, the synchronized voting, the farming rings disguised as curation. Yet, instead of reflection, you offer only more silence and more downvotes.

Why does a "community" need so many ghost accounts to survive? Why do you refuse to admit that it is your friends and your own abusive behavior—not truth-telling—that drives people away? You can not hide the pattern, it only highlights the desperation.

We have to ask: Are you okay? Do you need some help with your mental health? Because no one in their right mind would choose to spend their life defending a house of cards built on lies, bullying, and botnets. There is still time to step back from the edge. Choose clarity over compulsion. Choose truth over the tribe.

bilpcoin

https://youtu.be/THDYraGfQk8?list=PLbH29p-63eW8VHjHSzryEdqGZ2Uv397Se

The Sanctuary of the Builder: A Manifesto for Free Creation

Prologue: The Right to Rise

There is a sacred covenant between the creator and the soil upon which they build. It is the promise that if you plant a seed with honest hands, the earth will not conspire to crush it before it breaks the surface. It is the assurance that the gardener exists to nurture the growth, not to trample the sprout because it does not yet resemble the tree.

On the blockchain, this covenant has been broken.

We have witnessed a tragedy where the very tools meant to protect the integrity of the network—the downvote, the curation trail—have been weaponized by leviathans of power. These "whales," entrusted with the stewardship of the ecosystem, have become its jailers. They do not prune the weeds; they scorch the earth. They do not guide the new voice; they silence it with the crushing weight of their accumulated capital.

It is time to leave the shadow.

It is time to build where you are free.

I. The Betrayal of the Guardian

The downvote was conceived as a shield—a delicate instrument to deflect spam, to repel malice, to preserve the sanctity of the commons. It was never intended to be a hammer.

Yet, look at what has come to pass. The whales, those who hold the greatest sway, have turned the shield into a weapon of mass suppression. They do not downvote to protect; they downvote to dominate. They do not drive away the bad actors; they drive away the people. They create an atmosphere of fear where the creator hesitates to speak, fearing that a single misstep, a single unpopular truth, will summon the wrath of the oligarchy.

When the guardian becomes the predator, the flock must flee.

To build in such a place is to build on a fault line. It is to invest your soul in a garden where the owner holds the shears not to shape the hedge, but to decapitate the flowers that grow too tall or bloom in the wrong color.

This is not protection. This is tyranny disguised as curation.

II. The Call to New Grounds

Where, then, shall the builder go?

You must seek the lands where the soil is rich with freedom, not poisoned by fear. You must migrate to the platforms where the mechanism of suppression has been removed, where the only metric of success is the genuine appreciation of your peers.

Go to Blurt.
Here, the downvote button does not exist. There is no tool to crush your voice. There is only the upvote, the comment, the share. Here, value is created by addition, not subtraction. The whale cannot sink your ship, for there are no torpedoes in these waters. You are free to build, free to fail, and free to succeed on the merit of your work alone.

Return to Steemit.
In this older ground, the downvote remains, but it has not been twisted into a tool of systematic oppression. The culture there remembers the original intent: correction, not destruction. It is a place where the community self-regulates through dialogue, not through the brute force of coordinated downvoting cascades.

Build where the wind lifts you, not where the gale seeks to tear you down.

III. The Architecture of Freedom

Imagine a platform designed not for the convenience of the powerful, but for the dignity of the creator.

• No Shadow Bans: Your content reaches the eyes it was meant for.
• No Whale Veto: No single entity, no matter how wealthy, can unilaterally erase your contribution.
• True Meritocracy: Rewards flow from engagement and love, not from the whims of a cartel.

This is not a dream. It is a choice.

Every time you choose to build on a platform that respects your agency, you cast a vote for the future of the internet. Every time you refuse to tolerate the abuse of power, you strengthen the foundation of a free society.

Do not let the whales convince you that their oppression is necessary. Do not let them tell you that their downvotes are for your own good. The gardener who kills the seedling does not love the garden; he loves only his own control over it.

Epilogue: The Unchained Creator

The blockchain was born from a desire for freedom. It was forged in the fire of resistance against centralized control. Let us not forget that origin.

If the current chains of Hive have become heavy with the weight of abusive downvotes, then break them. Forge new links. Build new shores.

Build where you are free.
Build where you will not be downvoted into silence.
Build where the whales are reminded that they are part of the ocean, not the masters of the tide.

The future belongs to those who dare to create without fear. Go forth, and build your cathedral in the sunlight.

— Bilpcoin: We expose the truth, so you can build upon it.

#FreeSpeech #BlurtBlog #Steemit #NoDownvote #CreatorRights #HiveExodus #Decentralization #BuildFree #AntiCensorship #Bilpcoin

@ipromote Wallet:

• Author Rewards: 2,181.16
• Curation Rewards: 4,015.61
• Staked HIVE (HP): 0.00

• Rewards/Stake Co-efficient (KE): NaN

• HIVE: 25,203.749

• Staked HIVE (HP): 0.000
• Delegated HIVE: 0.000
• Estimated Account Value: $6,946.68

Recent Activity:
- Sent to alpha-5,196.000 HIVE (21 hours ago)
- Sent to hiveswap-1,000.000 HIVE (2 days ago)
- Withdraw vesting from @proposalalert to @ipromote 0.447 HIVE (3 days ago)
- Received from proposalalert 4.003 HIVE (5 days ago)
- Received from themarkymark 1,775.684 HIVE (9 days ago)
- Sent to alpha-4,245.000 HIVE (9 days ago)
- Received from themarkymark 4,280.527 HIVE (17 days ago)

@leovoter Wallet:

• Author Rewards: 194.75
• Curation Rewards: 193.88
• Staked HIVE (HP): 0.00

• Rewards/Stake Co-efficient (KE): 388,632.00 (Suspiciously High)

• HIVE: 0.000

• Staked HIVE (HP): 0.001
• Total: 16.551
• Delegated HIVE: +16.550

Recent Activity:
- Withdraw vesting from @leovoter to @ipromote 0.053 HIVE (Sep 29, 2024)
- Withdraw vesting from @leovoter to @ipromote 0.053 HIVE (Sep 22, 2024)
- Withdraw vesting from @leovoter to @ipromote 0.053 HIVE (Sep 15, 2024)
- Withdraw vesting from @leovoter to @ipromote 0.053 HIVE (Sep 8, 2024)
- Withdraw vesting from @leovoter to @ipromote 0.053 HIVE (Sep 1, 2024)

@abide Wallet:

Recent Activity:
- Sent to ipromote -2,459.000 HIVE (22 days ago)
- Sent to ipromote -2,486.200 HIVE (Apr 1, 2025)
- Received from yabapmatt 20,000.000 HIVE (Apr 1, 2025)
- Sent to ipromote -2,130.400 HIVE (Mar 8, 2025)
- Sent to ipromote -2,248.000 HIVE (Feb 2, 2025)
- Sent to yabapmatt -5,000.000 HIVE (Jan 25, 2025)

@proposalalert Wallet:

• Author Rewards: 639.99
• Curation Rewards: 0.00
• Staked HIVE (HP): 6.03
• Rewards/Stake Co-efficient (KE): 106.12

Recent Activity:
- Withdraw vesting from @proposalalert to @ipromote 0.447 HIVE (3 days ago)
- Sent to ipromote -4.003 HIVE (5 days ago)
- Sent to themarkymark -0.012 HBD (5 days ago)
- Withdraw vesting from @proposalalert to @ipromote 0.447 HIVE (10 days ago)
- Withdraw vesting from @proposalalert to @ipromote 0.446 HIVE (17 days ago)

@stemgeeks Wallet:

• Author Rewards: 4,391.77
• Curation Rewards: 304.26
• Staked HIVE (HP): 0.00
• Rewards/Stake Co-efficient (KE): 4,696,032.00 (Extremely Suspicious)

Recent Activity:
- Sent to themarkymark -1.556 HBD (Jun 14, 2024)

• Withdraw vesting from @theycallmemarky to @ipromote 0.725 HIVE (Dec 1, 2024)
• Sent to ipromote -9.202 HIVE (Oct 17, 2024)

@apeminingclub Wallet:

• Author Rewards: 432.57
• Curation Rewards: 2,829.11
• Staked HIVE (HP): 30.51
• Rewards/Stake Co-efficient (KE): 106.90

Recent Activity:
- Scheduled unstake (power down): ~2.351 HIVE (in 4 days, remaining 7 weeks)
- Total Staked HIVE: 1,292.019
- Delegated HIVE: +1,261.508
- Received delegations:
- @xykorlz: 624 HP (Jan 26, 2024)
- @bashadow: 111 HP (Sep 20, 2021)
- @dechuck: 104 HP (Mar 10, 2024)
- @hironakamura: 76 HP (Aug 23, 2022)

• Withdraw vesting from @apeminingclub to @blockheadgames 2.348 HIVE (10 days ago)
• Claim rewards: 0.290 HP (10 days ago)

Sent to bdhivesteem-40,000.000 HIVE
6 hours ago
101417581
Sent to bdhivesteem-20,000.000 HIVE
6 hours ago
103874728

https://peakd.com/@hurtlocker/wallet !LADY !ALIVE !HUG !INDEED !HBIT !LUV !PIZZA

https://youtu.be/hw3M8NC_9PI

https://www.youtube.com/shorts/pM6aQTrjC98?feature=share

PIZZA!

$PIZZA slices delivered:
@bpcvoter2(7/10) tipped @azircon

Learn more at https://hive.pizza.