Comment by tptacek
2 months ago
They're right: I was talking about the business models at the buyers that these vulnerabilities have to slot into. The point I'm making is: there already has to be an operating business that's doing this for a vulnerability to be salable at all. If there isn't one, you're not selling a vulnerability, you're helping plan a heist.
Right, I'm only responding to the last part where they imply to these researchers are not well paid. I'm saying that on an hourly basis or monthly basis $10k a vulnerability is actually quite a good payout when you have a surface area as large as Google's to explore and know what you're doing.
Their last paragraph shows that they didn't understand your paragraph here:
> For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.
> Their last paragraph shows that they didn't understand
I think I understood. The last paragraph of mine that you cite was speaking of the creator of the bugs, not the discoverer.
The liable party should be investing reasonably towards non-negligence. (Especially in the context of spending billions of dollars each year on oft-misaligned headcount that's creating many of these liabilities.)
I'm not talking about the company optimizing for the minimal amount they think they can get away with paying to try to cover their butt. Nor am I talking about how white/gray-hat researchers adapt viable small businesses to that reality.