Because that would require real "work" and they've spent the last 15-20 years telling people that trades and apprenticeships as worthless. That's why there's such a demand for them these days.

It's hard for the pencils to spy on you when you smash their tiny graphite hearts.

Pretty much spot on. I've got a radio that was my great grandfather's, it was my grandfather's for a few years it's mine now. It's a glorious bit of work, solid maple cabinet, cherry veneer, coated with shellac. Tubes, picks up AM, and pretty sure shortwave. Can't remember off the top of my head what year it was made in but it still works, and they used it for years.

Well you could just buy a IDE controller card, they do make them. And can run as cheaply as $9.

ICU is medical reason. A heterosexual can't visit with children there half the time, and if you fail to fill out the correct HIPPA form, the hospital can't even acknowledge that you exist at all.

Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat".
When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.

On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.

The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.

When I step on my scale, it tells me if I need to carry an umbrella today (based on the weather forecast it downloaded). Then it sends my weight etc. to my iPhone where it's merged with information from my fitness wristband and my diet tracker. Based on that, I get suggestions like "you've been going to bed a little later than usual. You should catch up." or "drink more water today" or "try to walk this much further than you did yesterday".

I think that's not so shabby.

Thesis is essentially that fixing a bug doesn't increase security because the software still has an infinite number of bugs.

Obviously, this is false. A software package may have 6 security bugs. Fixing 3 of them reduces by 50% the chance that the bad guy will find one.

There is no option that's going to protect those tax returns. Telling the bad guys about it will certainly endanger the tax return data, though.
Since many (most?) people use the same or similar password for Facebook as they use for their tax service, protecting Facebook traffic actually protects a few tax returns.

What clearly isn't an effective option would be to announce the vulnerability to hundreds of tax-preparer sites before a updated package is available, expecting them to manually (and correctly) patch the code, without leaking the vulnerability so that it becomes widely known to the bad guys.

If you're going to try to protect people in the time between discovery and the fix being widely distributed, you can only do that by keeping it relatively secret, by limiting details to a small number of trusted people. Once you tell a lot of people, you've told a lot of bad guys. There's no need to do that before the updates are available and people can protect their customers.

> Isn't that assumption where the whole argument for notifying selected parties in advance breaks down? ...
> it will often be applied when their distro's mirrors pick it up, but that was typically within a couple of hours for Heartbleed

How do you think those packages get on the mirrors? Do their servers magically patch the code, rebuild the packages, and set it as a high priority update? The fix gets on the mirrors as a result of "notifying selected parties in advance".

> they had a whole day to attack everyone who wasn't blessed with the early knowledge, instead of a couple of hours

Years, not hours. Assuming the bad guys knew about it, they had two YEARS to attack people. If we told people that there was an issue on Monday, that doesn't protect them - they just know that their vulnerable. They couldn't do anything about it until the update packages were available on Tuesday.

On the other hand, had we made it public on Monday, we would have GUARANTEED that lots of bad guys knew about it, during a period in which everyone was vulnerable.

I'm talking about what we did here. It appears to me that Google definitely screwed up by not telling the right people on the OpenSSL team much sooner. (Apparently they told _someone_ involved with OpenSSL right away, but not the right soemone.)

> you protect some large sites, but those large sites are run by large groups of people. For one thing, they probably have full time security staff who will get the notification as soon as it's published, understand its significance, and act on it immediately.

ROTFL. Yep, large corporate bureaucracies, they ALWAYS do exactly the right thing, in a matter of hours.

One thing I haven't heard discussed is whether affected companies should be notifying their end users about whether they were affected and when it was fixed. I haven't heard from my bank, for example. Where they ever vulnerable? Should I update my password? If they were vulnerable, is it fixed now or would I just be handing an attacker my new password if I were to reset it today?

I wrote up a proposal called Heartbleed headers for communicating this information to site visitors. While I'd like it if everyone picked my idea as the new standard way for doing this, I just wish admins would start using something. We're so close to having a browser plugin be able to tell you "you need to update your password on this site" as you browse. How nice would that be?