Comment by tptacek

https://www.youtube.com/watch?v=Y0pdQU87dc8

> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.

> If we apply your analysis to other things

This analysis doesn't work for a few reasons:

* For physical goods, used items always fetch a lower price than new items due to unrelated effects. And if we're only looking at the used price, we do find that the black market price is just about equal to the used item's value minus the risk associated with dealing with stolen goods (unless the buyer is unaware of the theft, in which case the black market value is the same as the used value).

* For both physical and digital goods, there are millions of potential customers for whom breaking the law isn't an option, creating a large market for the legal good that can serve to counter the effect of the black market price. This isn't true of exploits, where the legal market is tiny relative to the black market. We should expect to see the legal market prices track the black market prices more closely when the legal market is basically "the company who built the service and maybe a few other agencies".

Bug bounty programs are not the only (or even primary) way that security researchers get paid. Google pays employees salaries to find vulns. Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.

If security researchers want to have stable employment doing this sort of work, there's oodles of job applications they can send out.

I think the right comparison to make here is art. The compensation floor is zero, and, in fact, that's what most vuln research pays.

Most other fields produce things that can be sold in the legal market - and so the value of those things can be determined by the market.

> and the price of any copyrighted good is bounded by the cost of transferring it over the network

It sure has worked out pretty much like this for music. The cost is not exactly zero, but pretty close to that.

>Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.

What you’re saying can be seen as tautological. The reason a gray/black market exists is precisely because the field is undercompensating (aka in disequilibrium)

> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.

They're buying exclusive access to some information, which is a somewhat unusual thing to pay for.

News reporters do take spicy stories to tabloids, rather than the normal press, as the tabloids will pay more.

Yep, I came to the same conclusion. The payments from bug bounties and the uncertainty of payment just isn't worth it. It's like taking a fixed prize contract and adding in a gambling element to get paid. Fixed prized I learned was bad enough if you want to make anything as a software engineer. This is even worse though.

I mean, the technical skills in the article here are basic. But the first finding was significantly good luck, and having the background to know to look towards old Google services for the ID to email part was non-obvious. You would need a lot of high-quality, guiding knowledge like that to make bug bounties work. Still, seems like a very high starting cost.

They mentioned the grey market a couple time, although some of their examples did seem like applications that would be more useful for the black market.

Anyway, I’m not 100% sure what they meant by grey market. It looks like they were talking about maybe selling to “agencies” which, I guess, could include state intelligence agencies. If that’s what they meant, it wouldn’t be that surprising to find that the black market and grey market prices influence each other, right?

I mean we could ask our intelligence agencies why they are shopping in the same markets as criminals but I guess they will say something like “it is important that we <redacted> on the <redacted>, which will allow us to better serve the <redacted> and keep the <redacted> safe.”

It isn't always about money, even when that is the stated problem.

The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.

I would be equally happy to see any solution where the end result is increased security and privacy for everyone, even at zero bounty.

The problem being overlooked is that the actual cost of these exploits and bugs is paid by the people who had no say whatsoever in any matter regarding the issue. Any time a company is being "cheap" at the expense of regular people is a bad time, from my perspective.

Google has the power to limit the exposure of the people who use there products (and this isn't always voluntary exposure mind you) and is choosing to profit a teeny tiny bit more instead. At no immediately obvious cost to them, why not?

I'm not a SWE anymore and haven't been one for a long time.

I think it's in everyone's interest for bug bounties to be higher than harmful markets for the same bug, and a decent fraction of the harms they prevent. That's what is going to result in the economically efficient amount of bug hunting. And it's going to result in a safer world with less cybercrime.

SWE comp is weird in that typically it is zero (see what's on Github!) often it us middle class and sometimes it is small scale CEO (as in the actual job not a founder) level.

I guess bounties fit into the framework somewhere between the Github and middle class engineer.

I think it comes down to supply and demand. It also shows you what Google would pay employees if things were in their favour. On unrelated news, a tech billionaire is almost defacto VP of the US.

When bug bounties are priced low, it also irks those among us who care about security — for the sake of the organizations we work for, for the sake of our end users, and for the sake of the world at large.

[flagged]

You are imagining a market that doesn’t exist.

First there are only very few gobs/companies that are sketchy enough to do this - and for those a huge number of non-anonymous people exist with huge reach that are very critical for years. If such a market would exist they would assassinate all those first - you don’t need the email if you have the face, voice, and name - since that is not happening they just don’t care that much about it.

i think what's being conflated here is that there are reasonably buyers for this kind of vulnerability but there's no market in the truest sense. I think a correctly connected individual could well sell this vuln to a state actor or a contractor to one; but the ecosystem of bug sales to these parties has no aggregate appetite for them, thus, there is nothing driving the price up. People in the market for cyberweapons want point and shoot vulns that have broad usage beyond a specific server for a specific company or parts for them, and ones that will last beyond a single corporation patching something. They are willing to pay such big $$$ for this that the whole market is optimized for it. The power players here would much rather buy a gun and shoot the lock off a door than a specialised set of picks that work for that lock in that building.

The only real market (that I can see) are shady data aggregators. Governments just file subpoenas, and abusive megacorps can file lawsuits (all the anti-SLAPP statues in the world can't prevent your Google account from being unmasked and having to pay for a lawyer). There is a limited market in the form of internet addicts who want to harass people for kicks (since finding an email gives them another route to do that with), but it's a small one. These people also tend to be entitled pricks, so they're not a very good customer base to have.

> then you should also pay well the people who help you catch and fix their gazillion mistakes before bad things happens.

You missed their point about the business model of the security researchers here: their business model is finding a large number of small value vulnerabilities. Those who are good at this are very very good at this.

My company has a bug bounty program and some of the researchers participating in it make double or more my salary off of our program, but we never pay out more than this for a single report. And it's not like we're particularly vulnerable, we just get a steady stream of very small issues and we pay accordingly.

Yeah, _should_ but businesses make money and not reporting and using the vulnerability in any other way is illegal, so they get to set the price as they're the only buyer. They know this.

There's also the thing where like, as you go from iOS Safari to Windows Chrome to Acrobat Reader or whatever, grey market prices plummet. The top-dollar targets all have multilayered runtime protections and whole teams that do nothing but security refactoring. No serverside software is hardened that way (excepting the Linux kernel, maybe, but Linux kernel bugs are a standard component of clientside exploit chains). You could infer a pretty low price.

I will say: at Matasano, we were once asked by an established security company that turned out to be a broker to find PHPBB vulnerabilities.

Perhaps because email addresses are kinda/sorta PII (business emails are categorically not) but not quite comparable to home addresses, tax/payment information, etc..

Our emails get leaked all the time in data breaches, sometimes alongside much more important information such as home addresses etc..

This was certainly a bad leak that could be used to further dox people by connecting the email to other leaked info or other sources, but from Google's perspective, all they did was leak the email.

It was a privacy breach for sure.

But further doxxing based on the email would be "not their problem" I suspect they would say.

Why isn't that conceivably worth more than $10,000?

As explained by the parent comment, because there isn't a market for it. It's a novelty. Who are you going to sell that exploit to? At this time, nobody. Since Google doesn't have to compete against others for the bug, it pays low.

Oh darn, my youtube email was leaked... It certainly stinks that mybusinessname@gmail.com is now known to the world...

There's certainly bad things that CAN be done to a number of people with information when it's a personal email address that's used for numerous purposes... but the 3 people I talked to about having youtube (or any streaming) accounts all have mentioned it as being a separate account.

So the only threat I can see in most cases is just better phishing attempts, which is not necessarily an easy money maker... Unless they can steal the entire account? It is impossible to get support from Google, so it's quite possible you could change the bank info and get a month or two of payments before someone gets in the loop to stop it... and realistically, the more money someone is making on YouTube, the less likely they have troubles contacting someone at Google by some side channel... and the less likely it's a personal email address that reaches the actual star of the channel.. so the more popular the person, the less valuable the email address

I think a simple way to think of it is: how much would an adversarial nation state buy this exploit for?

I just don't think Russia would be willing to pay $100,000 to get Mr. Beast's email address, even if that sounds tempting to you.

The majority of the top 1000 YouTube accounts will actually have an email address publicly available, as they are a business and they want people to be able to reach out to them for sponsorships or brand collaborations.

For example, MrBeast has this in the video description:

> For any questions or inquiries regarding this video, please reach out to chucky@mrbeastbusiness.com

The vulnerability here is that you can find the exact email address tied to their YouTube account, which you can't really do anything with if they have strong passwords and use 2FA.

> Why isn't that conceivably worth more than $10,000?

If it exposed passwords as well then that would be worth a lot more, but a list of email addresses is not the most valuable of things on its own.

My guess was that people selling vulnerabilities generally know who they’re selling to. Is there a big market for people selling exploits to unknown/anonymous customers?

> This exploit could have been used to create a massive near-complete database of every Google account has automatically had a Youtube account created.

Massive email databases are extremely cheap, often free. For this vulnerability to be worth more than $10k there would have to be something about it being a near-complete library of Google accounts (rather than just another massive mailing list).

And that's assuming the prospective buyer believed that they could exploit this vulnerability in full before discovery. If I'm reading this exploit right, each email recovered requires two requests, one of which needs to make one of the fields 2.5 million characters long in order to error out the notification email sent to the victim. Presumably that email sending error would show up in a log somewhere, so the prospective attacker would have to send billions of requests fast enough that Google can't block them as suspicious or patch the vulnerability, all the while knowing full well that they're filling up an error log somewhere and leaving an extremely suspicious pattern of megabyte-sized request bodies on a route that normally doesn't even reach kilobytes.

I'm honestly not seeing how you could make an email list out of this that is anywhere near complete, and even if you could I'm not sure where the value to it would be.

And then what?

Exploits need to plug into a business plan. Like any business plan there has to be somewhere that money gets extracted and that money needs to be more than the exploit cost & infrastructure costs & a risk premium.

If you can’t trivially say how the exploit explicitly gets turned into cash you probably are on the wrong track. Doubly so if it’s not a known standard and commoditized way that’s happened before.

But then what? Given the number of accounts Google has, odds are that nearly every alphanumeric combo less than 8 or 10 characters plus “@gmail.com” is a google account. This vulnerability gets you other domains, but still not seeing it. Massive databases of email addresses are a dime a dozen.

The only angle I can imagine is phishing for high profile creators, and at most this is a “makes it easier” and not a “creates the problem” bug.

Honestly, that leaves straight up harassment of YouTubers by other YouTubers and fans off the table which by itself would motivate a few of them. Some of the same people who play in the black and grey hat worlds are the same people buying DDOS attacks and swatting streamers. They would have a party with their emails.

And? So what. You can spam them?

Come on.

Do any companies pay bounties for path #2? My understanding is that it's forbidden by most bounty programs since it could be seen as a form of extortion.

For #1, as tptacek says, it would be trivially easy for Google to shut a service like that down as soon as it was created, and prosecute the people running the service under the CFAA. Also, the amount of demand for that kind of data is pretty small given the number of email address databases already available online through legal means (e.g. Zoominfo, RocketReach, etc). It's a path filled with a lot of risk and not a ton of reward.

ZDI claims they'll pay for bugs in serverside software, which is a different meaning of the term "serverside" than I'm using (admittedly, that definition is more precise). An nginx bug has a half-life once discovered. A Youtube bug does not.

I'm a little skeptical of published prices for serverside software, though. Do you know anyone who specializes in selling those bugs? I don't.