Comment by lolinder
2 months ago
Right, I'm only responding to the last part where they imply to these researchers are not well paid. I'm saying that on an hourly basis or monthly basis $10k a vulnerability is actually quite a good payout when you have a surface area as large as Google's to explore and know what you're doing.
Their last paragraph shows that they didn't understand your paragraph here:
> For people who make their nut finding these kinds of bugs, the business strategy is to get good at finding lots of them. It's not like iOS exploit development, where you might sink months into a single reliable exploit.
> Their last paragraph shows that they didn't understand
I think I understood. The last paragraph of mine that you cite was speaking of the creator of the bugs, not the discoverer.
The liable party should be investing reasonably towards non-negligence. (Especially in the context of spending billions of dollars each year on oft-misaligned headcount that's creating many of these liabilities.)
I'm not talking about the company optimizing for the minimal amount they think they can get away with paying to try to cover their butt. Nor am I talking about how white/gray-hat researchers adapt viable small businesses to that reality.