← Back to context

Comment by lolinder

2 months ago

> then you should also pay well the people who help you catch and fix their gazillion mistakes before bad things happens.

You missed their point about the business model of the security researchers here: their business model is finding a large number of small value vulnerabilities. Those who are good at this are very very good at this.

My company has a bug bounty program and some of the researchers participating in it make double or more my salary off of our program, but we never pay out more than this for a single report. And it's not like we're particularly vulnerable, we just get a steady stream of very small issues and we pay accordingly.

3 comments

lolinder

Reply
tptacek  2 months ago

They're right: I was talking about the business models at the buyers that these vulnerabilities have to slot into. The point I'm making is: there already has to be an operating business that's doing this for a vulnerability to be salable at all. If there isn't one, you're not selling a vulnerability, you're helping plan a heist.

  • lolinder  2 months ago

    Right, I'm only responding to the last part where they imply to these researchers are not well paid. I'm saying that on an hourly basis or monthly basis $10k a vulnerability is actually quite a good payout when you have a surface area as large as Google's to explore and know what you're doing.

    Their last paragraph shows that they didn't understand your paragraph here:

    > For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.

    • neilv  2 months ago

      > Their last paragraph shows that they didn't understand

      I think I understood. The last paragraph of mine that you cite was speaking of the creator of the bugs, not the discoverer.

      The liable party should be investing reasonably towards non-negligence. (Especially in the context of spending billions of dollars each year on oft-misaligned headcount that's creating many of these liabilities.)

      I'm not talking about the company optimizing for the minimal amount they think they can get away with paying to try to cover their butt. Nor am I talking about how white/gray-hat researchers adapt viable small businesses to that reality.