BtS: The Anatomy of a Bug Report

It occurs to me that not everyone may be familiar with how responsible disclosure works in software development, and how real life bug bounty programs have had an impact on how this story works. There are a lot of jokes in this book that are probably only really visible to software developers. For example, Daemons aren't just the name of a Unix process, their description is a reference to the Computer Science concept of Garbage Collection and the list of skills Infinity just learned are a reference to CRUD.

There are about a million such references scattered throughout the book, particularly when The Adversary is involved. However, there is no more direct and obvious one as the fact that he's running a bug bounty program.

This is obviously critical to the plot, and I included it for a few reasons. In software development smart companies offer bug bounty programs because not doing so is far more expensive than doing so. It's a matter of gambling that your internal processes and developers are literally infallible, vs possibly going bankrupt overnight. 

Paying people that are good at breaking things for telling you about the things they find a way to break is just a good idea. Rather than just stealing everything from you, it provides incredibly smart  people legitimate work and makes it not nearly as worth it to fuck you over. Tens or even hundreds of thousands of dollars is nothing to a company like Google, compared to the millions of dollars in lawsuits and government investigations they would be subject to if (for example) someone found a way to arbitrarily access anyone else's Gmail account and used it for malicious purposes.

The Adversary, very obviously has spent time on earth. It's unclear exactly why or how, but we can tell that if he hasn't worked in software development he's certainly studied it. What he's learned from this is that the moment you create a rule, someone will find a way to break it. Our mythology is full of stories of people defying or tricking the gods. It's the stuff of heroes, and it's why defying a deific curse (with an affinity) results in a heroic skill. This mirrors the classics using a new medium.

The Adversary saw this, and realized there was a better way: Don't punish people that break the rules, reward them for showing you your own weaknesses. In a few chapters Dawn will address this directly, giving her churches explanation for all of this in more mythological terms. From a more secular viewpoint it's just good sense. What you don't want is exactly what happened with the loot boxes.

This is called a Zero-Day vulnerability, and its exactly the sort of thing that bug bounty programs are intended to eliminate or reduce. Unfortunately, it is sometimes the case that someone who discovers an exploit will decide that using it is more valuable than reporting it. This can be because your rewards aren't good enough, or the potential gain from not reporting it is worth the risk. In the case of the loot box exploit, its because the gains were worth the risk as far as anyone using it knew.

What that loot box exploit means for most people capable of exploiting it, is a lifetime of triple loot rewards. Loot boxes are the primary way that System uses to distribute items as quest and achievement rewards other than a few standards like the orb of experience.  This is why multiple people throughout the history of Astra have decided that they'd rather just keep it to themselves. Those who don't know how the bug bounty program works likely don't realize how great the rewards are, and those that do likely don't realize how big a deal this is to System (mostly because multiple people are using it).

Infinity gets such a large reward here because not only are people actively exploiting this flaw, but unknown to her the process that powers the loot boxes is not free for System. I wont explain how it works at this point, as I suspect it will come up in book 2, but effectively people that exploit this are harming System in a way he wasn't able to detect. He likely had some indication that something was wrong, but not where the bleed was coming from, sort of like a leaky faucet you don't notice for months because it only drips once every few minutes.

Additionally, it is The Adversary's policy is that people who report bugs like this get to keep the things they got from them. This is to prevent people from feeling the need to hide exploits simply because they don't wish to lose the things they got from the original discovery. It actually encourages people to report bugs, knowing that they are legitimizing their ill-gotten gains. There are some exceptions to this, but they are very few and far between (and would in most cases receive an equivalent bonus reward instead). An example of this would be finding an exploit that is actively destructive to System or Astra (such as freezing System's avatar - Infinity didn't get to keep that, not that he'd have wanted to :P).