... Did they actually steal anything or take advantage, or just touch the bag to make sure it wasn't fake? Seems more of the latter, and your analogy falls flat when the bag carrier contains other people's pii.

There are pleny of people here saying the equivalent that "not paying will only encourage people to take things from your backpack instead".

Terrible analogy. This is more like someone returning your wallet full of cash, on live TV. You aren't legally obligated to give them anything, but it sure is a dick move not to and good luck getting your wallet back next time you drop it if you don't.

Why will giving someone a cash reward mean you have a better chance of getting your wallet back in the future?

Because the next person will know there's a good chance you'll give them a cash reward, and that will tip the "immorally take all the cash" vs "return it and hope for a reward" balance more in favour of it being returned.

I would have thought that was completely obvious so maybe that's not what you were asking?

(On the other hand this is HN...)

The places you're most likely to get your wallet back in the world are the places you're also less likely to get a reward. The reward for returning a wallet is knowing you're doing your part to make the place you live in a nice place to live.

Doing free work for A16Z or any of the awful companies ruining our world is not helping make anything better.

I think A16Z and the companies they’ve funded have done a great deal of good for the world. The very web browser you’re typed your angry comment into is a technology pioneered by one of its two founders.

Being anti-VC is essential being against technological and economic progress.

I like netscape & its decedents.

Not everything that happens is progress, the world can often do without 'disruption'

It’s just that the analogy breaks down a bit. It’s fair to say a dropped wallet in a city is a one-shot game—it’s reasonable to expect neither the participants nor their acquaintances will ever encounter each other again; whereas a security vulnerability is closer to a repeated one—it’s a fairly small world. (Some kind of neighbourly behaviour would work better here, but then again, it’s more difficult to find a universal experience of that kind.) I didn’t misunderstand this, but perhaps GP did?..

You're using the wrong line of thought on the analogy here.

The value of the wallet is not the cash you'd directly lose inside of it. The value is getting your ID and cards back without them being copied by someone else, along with any other identifying information.

The value of having and up front and easy to use bug bounty system is it's easier to use then selling it off to some blackhats (hopefully). Those blackhats may otherwise scrape all your s3 buckets or somehow otherwise run up a zillion dollars of charges over a holiday with your keys.

Being cheap gets expensive.

Also the wallet had "please return me, cash reward" written on it. (Bug bounty advertised)

>You aren't legally obligated to give them anything,

Acktchually, depending on where you live, you might be.

It's not the same. Figuring out a bagpack is open takes no effort. Finding a backdoor takes a lot of effort.

Not when you find it on first "inspect element". That really is the equivalent of looking through someone's window and seeing their bank information and credits cards just lying in full view of anyone who'd look in.