You're right, but in this case I think some narrative liberty was justified, especially since Valve basically delegated triaging bug reports to HackerOne, but this relationship might not be immediately obvious to some readers. Suppose a nightclub contracts its bouncers from some security security firm. You get kicked out by the contract security guard. I think most people would think it's fair to characterize this situation as "the nightclub kicked me out" on a review or whatever.
It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports. It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
>It doesn't look to me like Valve delegated triaging bug reports though, rather triaging security reports.
That was a typo on my side, should be "security".
>It seems fair to me that the security reporter vendor triaged this as not a security report. It feels like saying "the wedding venue kicked me out" when actually the third party bartender just cut you off.
For all intents and purposes getting your report marked as "informative" or whatever is the same as your report being rejected. To claim otherwise is just playing word games, like "it's not a bug, it's a feature". That's not to say that the OP is objectively correct that it's a security issue, but for the purposes of this argument what OP wrote (ie. 'Valve: "WontFix"' and Valve closed it as "Informative.") is approximately correct. If you contact a company to report a bug, and that company routes it to some third party support contractor (microsoft does this, I think), and the support contractor replies "not a bug, won't fix", it's fair to characterize that as "[company] rejected my bug report!", even if the person who did it was some third party contractor.
> If you contact a company to report a bug, and that company routes it to some third party support contractor
That is not what happened, though. You can contact Valve/Steam directly. They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
>They specifically went to the third-party vendor, because the third-party vendor offers a platform to give them credit and pay them for finding security exploits. It is not the responsibility of the third-party vendor to manage all bug reports.
I don't know, the wording on their site suggests hackerone is the primary place to report security issues, not "if you want to get paid use hackerone, otherwise email us directly".
>For issues with Steam or with Valve hardware products, please visit HackerOne — https://hackerone.com/valve. Our guidelines for responsible disclosure are also available through that program.
No, you are correct, that is a HackerOne employee filtering the report before someone at Valve looks at it, a lot of companies have this set up and it's not great.
I would be surprised if responsible Valve staff would agree that this is not something they should fix at some point.
It's still on Valve though. They chose to delegate this and H1 basically becomes their voice here. I wish it was made more clear, but I don't think it's wrong.
> You grant us and our legal successors the right to store, archive, parse, and display Your Content, and make incidental copies, as necessary to provide the Service, including improving the Service over time. This license includes the right to do things like [...] or otherwise analyze it on our servers; share it with other users
That could be boilerplate legalese for "obviously we need access to your code if we're to display and share it (as is the purpose for a public git host)"
1. Microsoft does not gain the license, but will be able to argue that they aren't intentionally committing copyright infringement in the cases where that distinction matters.
2. If Microsoft does something resulting in damages because they thought they had a license, their indemnification clause kicks in and they can recoup those damages from the user who uploaded it (to the extent that that user doesn't go bankrupt anyways)
3. Likely none of this matters because your license can't prevent activities that weren't prohibited by copyright in the first place, and training doesn't appear to be a prohibited activity at least under US law.
It's stayed perfectly flat across Trump taking office? Consistent with the tariffs not changing the price at which China sells goods at all and the US consumer bearing the entire cost of the tariffs.
Or if you're the military commander with the option to disobey the illegal order (to go to war without congressional authorization) or take the bribe and execute the order. "Unmarked cash" (which this is) has pretty different purposes from official funds.
I think there's a pretty good chance the person who took that money was opportunistic, this time, but $400k isn't a trivial sum of money, it's not impossible it was the difference between this happening and not.
If the prediction market is for a non-trivial amount, it's likely someone is going to kill you in exchange for the money the prediction market offered them. The prediction market isn't acting as a prophet here, it's acting as a plausibly deniable murder for hire service and you are its victim.
The people "betting against" you dying just paid to have you killed.
This was discussed on polymarket with the Galve Goat burning bet and assume it's why
Essentially it's a big straw goat in Sweden that vandals sometime set on fire.
Right towards the end as the probability approaches zero there's a huge profit incentive, "done deals" usually go under well under 1¢ meaning 100-200x returns.
A US man once traveled to Sweden to set the goat on fire, he was caught, fined $20k(?) and then fled the country before paying the fine.
Risk reward in a situation like this absolutely creates a situation for prediction markets similar to the observer effect in physics, it's no longer predicting the future and instead altering it.
As it gets closer to the deadline, the timeframe shortens, so the gain does increase. A 1% return which you're paid on tomorrow is a 3,778% annualized return.
There’s still limited liquidity. You need to find someone willing to put up a very large amount of money for almost no gain. I also doubt these websites have enough activity to well calibrate near 1 dollar bets, so it’s not clear the market is giving you accurate predictive power with very expensive bets, which means you’re risking a lot (again, for almost no gain).
Exactly, these markets exist in the real world, so as their size and use increases, the more likely the odds will influence real world events. Look at sports betting for a much smaller example. Match fixing is known. Electricity markets are gamed for individual profits at the detriment to everyone and the stability of the system, even with regulators trying to keep things stable. Enough "Market for all the things" already..
See, there are two major flavours of pro-market attitudes. The first one is "if we allow many independent individuals to try their own approaches to a problem and let the people with "better" approach to personally profit from it handsomely and make them compete against each other in an environment with objective-ish judgement of "what is better" instead of "impress the (inevitably corruptible) officials to be judged victorious and awarded the fortunes", and also manually guard and regulate against several universally known ways to sabotage such competition, then we'll be able to channel human ingenuity into solving difficult to solve technical problems while also rewarding those who are able to come up with (and implement) such solutions with low overseeing overhead". Of course, such an attitude isn't strictly speaking "pro-market", it's been around since ancient times; hell, the USSR of all places had this attitude in spades until about the 70s or so.
The second one is "Nah, we don't have to try and think about anything ourselves, just let people fend for themselves, they'll figure it out, and it won't have any unforeseen bad side effects, why would it; markets are magical like that!" Yeah, about that...
Right, a market is a small tool of larger systems. That’s fine, hard to get right but can make systems better. Type two just seems to be the cargo culted everywhere..
I think it's actually not that hard to get right (or at least "right enough"), as evidenced by the fact that markets have successfully run the entire global economy for thousands of years with no central oversight and almost no regulation.
Markets failures do happen, and when they do it can be helpful to have an external force step in to nudge the market back onto the rails. But even without such interventions they work remarkably well on balance.
> markets have successfully run the entire global economy for thousands of years
Markets, as they are understood today, are more like about 300 years old, even less in some places. The bulk of world economy has been sustenance farming for most of the human history, with some communal mutual help (based on favours and mutual indebtedness) thrown in.
> with no central oversight and almost no regulation
Lol what? E.g. Roman Republic (and later empire) tightly regulated its markets, especially food trade, during all of its existence.
The industrial revolution multiplied the size of the global economy by several orders of magnitude, but it didn't create it. International trade has been happening on a smaller scale since large-scale civilized society existed. And I said "almost no regulation", not "no regulation". Probably something on the order of 99% of the regulations we have today wouldn't have even been feasible to enforce a couple hundred years ago, yet markets still functioned just fine on the whole.
The type of people who have the power to change decide these type of events already are able to use that power to make money in a thousand different ways. These markets will change nothing.
Yes, OOP might have chosen a suboptimal example here. But for general newsworthy events, people aren’t going to be in positions to manually make them happen. And no person in a position to start a war would do it to affect a Polymarket bet.
The prediction markets aren't yet at sufficient scale to purchase a war, you mean. People start wars for money all the time though. If they become of sufficient scale, people will purchase wars on them.
There's already lots of examples where they are of sufficient scale, like paying the press secretary to shut up after 64 minutes. Or paying someone to falsify ISWs map of the front line in Ukraine.
> But for general newsworthy events, people aren’t going to be in positions to manually make them happen.
Many newsworthy events (and even more events that actually reach prediction markets, many of which are at best marginally newsworthy) are actions ultimately pivot on a human decision, so the first part isn’t true.
> And no person in a position to start a war would do it to affect a Polymarket bet.
Are you saying “no one would start a war with personal financial gain being part of the motivation”, or “it is impossible for the payoff of a prediction market bet to be of sufficient magnitude to alter the calculus in even the tiniest iota in that case”?
Because the first seems extremely clearly false, and the second seems improbable in the case where the first is false.
> And no person in a position to start a war would do it to affect a Polymarket bet.
Are you fucking kidding? Based just on current events, that is absolutely not a statement you can make without at least trying to prove it.
If you do try to prove that you will fail as the idea that people would start wars for profit is as old as wars.
Just evaluate the sentence you've just created. How many people exist who have the capability to start wars or influence the start of wars? It's a lot. What else do you know about these people and their motivations?
It isn’t just the people who can start a war. It’s also normal people who can.
Imagine if 10 million people bet on starting a war vs 5 million who say no war. Those net 5 million people are going on social media saying why the war is justified. They’ll vote in war mongers. They’ll support the military. The bet literally influences the result. It’s a self fulfilling prophecy.
I can see someone in the Trump admin absolutely using a betting market when they can influence the outcome. At the least I'd also bet that someone in the T admin was the person who knew about Maduro being captured.
...but many people in positions where they can start a war or cause some other highly visible event of any sort probably will start turning to Polymarket to make money in the course of their work
Not really, for the same reason entrapment isn't usually seen as an accurate way to gather information for law enforcement. See also Goodhart's law and overfitting.
It's not a bounty, though, right? It operates like other trading markets? So unless they have big money to wager, they don't have big money to gain. If it's hovering at, say, 10% odds, it's not like they can automatically 10x their money because other people have to take the opposite side. There would have to be a lot of liquidity in the market for their large bet not to move the odds, and as the odds move, they make less money.
> So unless they have big money to wager, they don't have big money to gain.
It requires that they put down collateral (the purchase of the the yes bets) that they lose if they don't meet the contract, so they do have to have starting capital.
> because other people have to take the opposite side.
That is to say that there must be people offering the bounty.
The size of the bounty isn't defined by the price of the contract, but the total upside available in the order book.
> and as the odds move, they make less money.
They have to put up more collateral for the remainder of the contract if they want that upside - but they make all the money that they already put up collateral for.
> The size of the bounty isn't defined by the price of the contract, but the total upside available in the order book.
But one person doesn't get the whole thing. ALL the people holding that side of the contract split the payout, in proportion to the size of their holdings in that side of the market.
I think if I use hypothetical numbers, it will help me explain how I think it works, and maybe this will help someone figure out where my error is.
Let's imagine the market is about whether I will die by the end of the day. So far, there are $500,000 in total bets in the market, and there are 5,000 shares in this market. Let's say it's currently sitting at only 10% odds that I'm going to die. I think that means 4,500 shares, or $450,000, is on the "No" side and 500 shares, or $50,000 is on the "Yes" side. Do I have that right so far?
If nothing changes about the market and I'm still alive at the end of the day, everyone who holds a "No" share splits the $500,000 pot, correct? There are 4,500 of them, so they each get $111.11 per share.
But suppose someone has a solid plan to kill me by the end of the day. They decide they want to dump $50,000 in on the "Yes" side. That's not going to buy them 500 shares, because they would need someone willing to sell 500 shares at the current price. They'll actually get well under 500 shares, and probably not even half that many, and they'll still be splitting the pot among the other people who already have the 500 shares on the "Yes" side. So they're still at not even half the "Yes" side of the market. They can probably double or triple their money, but we're talking about making another $50-100k on top of getting their own $50k back. It's not like they get the whole $500k.
That's what I mean when I say it's "not a bounty." A "bounty" makes it sound like, "If you're the one who kills smeej, you get $500k," but that's not what's happening here.
Lots of people might be willing to try to kill me for $500k. A heck of a lot fewer are going to be willing to try to kill me for 2-3x whatever capital they can come up with right before the hit.
Am I at least understanding this part of it correctly, how the payouts actually work? If I'm not, that would go a long way toward helping me figure out what I'm missing.
> I think that means 4,500 shares, or $450,000, is on the "No" side and 500 shares, or $50,000 is on the "Yes" side. Do I have that right so far?
No - there's always an equal number of contract outstanding on both sides of the bet. A contract is a promise from the person who sold "no" to pay the person who bought "yes" a dollar if the outcome happens. These contracts can trade from anywhere between 1 cent to 99 cents corresponding to a 1% chance to a 99% chance that you would die*. The odds the market reports is just whatever price the last contract traded at (or alternatively whatever price sits between the current open offers to buy/sell contracts. In liquid markets these tend to be the same).
> If nothing changes about the market and I'm still alive at the end of the day, everyone who holds a "No" share splits the $500,000 pot, correct? There are 4,500 of them, so they each get $111.11 per share.
They each get $1 per share. Their profit is $1 minus how much they paid for the share. It's not (meaningfully) a shared pot which is divided up, it's a fixed amount per share.
> They decide they want to dump $50,000 in on the "Yes" side. That's not going to buy them 500 shares, because they would need someone willing to sell 500 shares at the current price.
Ignoring the numbers at this point - you're generally right that they need to find someone willing to sell them the contracts. The existence of a large number of outstanding contracts doesn't guarantee this - they might be held by someone who is holding them to minimize the payout a hitman could get for killing you for instance.
The most direct guarantee is the order book The order book is the collection of open offers "I'm willing to sell X yes-contracts at Y price" that the market has for potential purchasers. The hitman can look at this and snatch up all of these simultaneously (up to some race conditions in the market - we can mostly pretend those don't exist but they do introduce some risk on the hitmans side). This can be thought of as the size of the currently available bounty.
There's a chance the market will continually over-price these yes contracts - and the hitman will never kill you as a result. That would be a huge mistake on all the financially motivated holders of yes contracts though - their positions go from worth something (if they sell to the aspiring hitman) to worth nothing if they don't price them low enough. In general you should expect the market to find the price at which a hitman will carry out the contract - so long as there's enough money in the market in the first place.
* Ignoring transaction fees and the time value of money, it's close enough for this discussion.
But the hitman still does not get the entire value of the contract. The hitman gets the value of the number of shares he can afford to buy, but that's not the whole contract by any means.
I think I understand what you're saying about the pricing. Am I correct in saying, then, that if the odds are 90% in favor of my living through the contract, the "No, smeej won't die today" price should be close to $0.10 (again, ignoring fees and the time value of money)?
If the hitman tries to buy in with 10% of the total funds already in the market, the odds/price are going to shift hard. It's going to devour a huge chunk of the order book. Any market that suddenly has someone come in at 10% of the whole market value is going to get a massive trading wick. So yeah, he'd get some shares at $0.10, but he's probably going to eat the open order book to a much higher cost. He can 10x some very small portion of his money (however many shares are on the book at $0.10), but he can only 5x his money at $0.20, or 3x at $0.33.
Even if we assume he does have $50k to dump into the market, I still don't see how he's going to more than triple his money, which is a heck of a lot less than taking the entire market's value as though it were a bounty.
Yes - we agree on how the pricing and odds work now :)
The hitman shouldn't expect to capture the value of the entire open interest. The market here is serving to negotiate the bounty with speculators betting that too much was offered taking the rest (a privilege they pay for by buying contracts that only pay out if they don't take too much). It's a curious form of negotiation since the people paying for the murder don't participate... but should (in a very theoretical efficient market) come to a "fair" (large enough to get the job done, and no larger) payment for the hitman.
2xing your money in a night is a huge payout, I think you're overestimating how high the multiplier on the capital requirement needs to be. That said, if you aren't, and you need a 5x payout to find a hitman then no rational speculator would purchase contracts for more then $0.20...
It's only a huge payout if you have a huge amount of money. If you have $1k to put in, you get $2k out. Who's risking getting caught and potentially facing the death penalty for $1k in profit?
If someone already has significant money backing, and especially if that person already has some other specific reason to want you dead, I can see how it might be added incentive, but even so, you also now have to tip your hand. To buy in hard, you have to send a signal saying you have reason to be confident I'm about to die. You're basically shooting yourself in the foot right before trying to shoot me in the head.
Plus, it's not like the markets are anonymous. Polymarket isn't trading with Monero. You're not just tipping your hand ahead of time. You're pointing the investigators right at yourself.
I just don't see how the calculations end up falling in favor of killing somebody if you weren't already planning to do so.
OK so its much a shallower thought than I anticipated.
Why go through the "prediction market" at all then? The hitman still killed someone, payments are not anonymous in this market, and its certainly not clean. Further, you share the pot with however many are involved, proportional to the allotted bets on each side and presuming binary prediction. And if the winds change on the market for the bet proportional to the "hitman's" side, you lose out on dollars that would otherwise be paid to you (the hitman).
And it'd be so easy to stiff the hitman just by equalizing the positions by timing it.
All that risk for something that's far simpler to just pay directly?
> Why go through the "prediction market" at all then
It's there. It's not actually easy to find hitman for hire. This is a publicly advertised market for it.
Plausible deniability. We weren't paying for the witness to be murdered, we were expressing our confidence that no one would murder the witness.
Price discovery. The market tells you how much you need to pay a hitman (if you overpay hedge funds swoop in and take the difference, telling you for next time. If the hedge funds underestimate the cost they end up paying a significant penalty to the people who they prevented from hiring a hitman).
Crowd funding. The market means that every can chip in however much they want towards paying the hitman, and they only end up paying if its enough. In fact the middlemen who accepted the bets in the meantime may promise to pay some small amount of damages if enough isn't collected.
It is impossible to stiff the hitman, and there is no risk for the hitman that the "winds change". The hitman takes out the entire "yes" position before committing the murder. If it's not enough, they don't commit the murder.
There's two forms of manipulation mentioned. One is changing the market to influence public perception, that does become harder as the market grows in size.
The other is accepting the bribe, sorry, taking the other side of the bet, and making something happen. That only becomes worse with scale. When you're in the position to accept a million dollar payout to cause the press conference to only last 64 minutes, or to invade a foreign country, suddenly you have a million new reasons to do so.
On any prediction market where a reasonably small group of humans decide the outcome, and there's enough money to matter, "betting no" is better understood as offering a fee to make it happen, conditioned on damages should someone accept your offer and fail to do so. "Betting yes" is better understood as agreeing to facilitate the outcome - or assisting in the price discovery mechanism that says facilitators are over charging.
reply