← Back to context

Comment by eli

8 years ago

If serious researchers are looking to get paid, I think bug bounties are the wrong approach entirely

It's about payoff * probability.

Let's say I (an idiot, but knowledgeable enough) stumble upon a serious vulnerability in Google.

Option 1: I could try to sell that on a darknet market for a decent amount of money. State actors, hacker groups, lots of people want to pay for such things to exploit. But, I might not get paid very much, I might get screwed over, I might go to jail, who the heck knows, I'm playing with a bit of fire here. Could make a good pay day though.

Option 2: Google offers a bug bounty that is known to pay well. It probably offers guidance on how much my exploit is worth. They'll almost certainly pay. And hey, no one gets exploited, which most people feel is a good thing.

Value = payout * probability. If bug bounties pay well, option 2 has a higher value most of the time. But if a company offers t-shirts, or is known for screwing over the discoverer, the perceived value falls quickly.

That's why companies who take security seriously pay good bounties, loudly and publicly.

  • > I might go to jail

    Is selling exploits illegal? If so is selling them to google also illegal?

    • You're not so much selling them to google, you're disclosing them.

      It's more of a contractual agreement between you and Google, or whatever company you're reporting the vulnerability to.

      As long as you follow the rules for their bug bounty, you'll be fine.

    • Telling Google about exploits in Google services in exchange for money is not illegal.

      Telling them about exploits in other services in exchange for money might be, depending on context.

      Your parent was talking about the former case.

    • > Is selling exploits illegal?

      Maybe. If the FBI decides to build a case against you for it, I'm sure they could find a law to use.

      > is selling them to google also illegal?

      I'm disclosing, and Google is granting me a reward. There's... Some difference I'm sure.

Why? Many can help find problems without having to be full-time, that's the point of crowd-sourcing with payouts.

  • Because you'll make much more working for people who specifically hire you instead of doing a bunch of risky work on spec.

    • The point of bug bounties isn't to attract the interest of people who are working to find bugs. It's to make sure that if someone is finding bugs for fun or stumbles over bugs by accident, it's worth their time to report the bugs.

      2 replies →

    • An actual pentest would include (I'm assuming) all sorts of NDA's and legal contracts and stuff, all fine if you work in the industry but if you're a bored hobbyist like me, bug bounties are a fun way to try and make a few dollars.

A lot of pentesters make good money off bounty hunting. Some months they make more money off hunting than they do their day job.