Comment by CapacitorSet
8 years ago
>Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.
Considering the amount and sensitivity of the data they handle, I'm not sure a t-shirt is an appropriate top-tier reward.
Not only that, but the "reward" in the program is laughable and frankly insulting to any serious researcher considering the scope of CF. Bug bounty platforms are already becoming the fiverr of ITSEC (that's not a good thing), CF just made an extra effort do diminish the value for researchers.
Management: "Why do we offer $5k for a small bug again? Look at CF, they don't offer any money!"
> "Why do we offer $5k for a small bug again? Look at CF, they don't offer any money!"
Answer: "Because if they had set up a bounty of $50k for security issues, they'd had thousands of researchers/students/white hats etc. watching the output of their servers."
"...and could maybe avoid or lessen the impact of this fiasco."
I don't disagree.
But, Taviso is probably contractually prohibited from accepting money from CF as a Google employee. Many large companies have 'outside activity' clauses and Google seems to be paying him already for that.
However, it will affect others whom are fully freelance.
If serious researchers are looking to get paid, I think bug bounties are the wrong approach entirely
It's about payoff * probability.
Let's say I (an idiot, but knowledgeable enough) stumble upon a serious vulnerability in Google.
Option 1: I could try to sell that on a darknet market for a decent amount of money. State actors, hacker groups, lots of people want to pay for such things to exploit. But, I might not get paid very much, I might get screwed over, I might go to jail, who the heck knows, I'm playing with a bit of fire here. Could make a good pay day though.
Option 2: Google offers a bug bounty that is known to pay well. It probably offers guidance on how much my exploit is worth. They'll almost certainly pay. And hey, no one gets exploited, which most people feel is a good thing.
Value = payout * probability. If bug bounties pay well, option 2 has a higher value most of the time. But if a company offers t-shirts, or is known for screwing over the discoverer, the perceived value falls quickly.
That's why companies who take security seriously pay good bounties, loudly and publicly.
4 replies →
Why? Many can help find problems without having to be full-time, that's the point of crowd-sourcing with payouts.
5 replies →
A lot of pentesters make good money off bounty hunting. Some months they make more money off hunting than they do their day job.
I got a t-shirt from cloudflare, and all i did was tell them "please send me a t-shirt" - they shipped it halfway across the world as well, for free! (it didn't fit...)
Good to know the security of their users is worth a t-shirt
I never really got this argument. Is it not much better than the majority of companies that have no bug bounty and where the reporter needs to worry they will be met with legal threats instead of a t-shirt?