Comment by hedora
2 months ago
Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
If we apply your analysis to other things, we’ll find that the upper bound price for a new car stereo or bike is ~ $100, and the price of any copyrighted good is bounded by the cost of transferring it over the network.
I think it is more useful to divide the amount Google paid by the number of hours spent on this and any unsuccessful exploit attempts since the last bounty was paid.
I’d guess that the vast majority of people in this space are making less than US minimum wage for their efforts, with a six figure per year opportunity cost.
That tells you exactly how much Google values the security and preserving the privacy of its end users. The number is significantly lower than what they pay other engineers orders of magnitude more to steal personal information from the same group of people.
> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
> If we apply your analysis to other things
This analysis doesn't work for a few reasons:
* For physical goods, used items always fetch a lower price than new items due to unrelated effects. And if we're only looking at the used price, we do find that the black market price is just about equal to the used item's value minus the risk associated with dealing with stolen goods (unless the buyer is unaware of the theft, in which case the black market value is the same as the used value).
* For both physical and digital goods, there are millions of potential customers for whom breaking the law isn't an option, creating a large market for the legal good that can serve to counter the effect of the black market price. This isn't true of exploits, where the legal market is tiny relative to the black market. We should expect to see the legal market prices track the black market prices more closely when the legal market is basically "the company who built the service and maybe a few other agencies".
> For physical goods, used items always fetch a lower price than new items
This is only true under certain circumstances. If there are supply chain issues, used prices can go up and over the list price. The most extreme (and obvious) example I've seen is home gym equipment during the Covid lockdowns, particularly for stuff like rowing machines.
The other potentially less obvious example is seen in countries that don't have a local presence or distributor for a given item, and the pain and slowness of importing leads to local used prices being above list price.
One other potentially interesting semi-related point: prices for used items can sometimes increase in unexpected ways (excluding obvious stuff like collectables, art, antiques etc). In the UK, the used price for a Nissan Leaf EV started increasing with age after the market realised that fears about their battery failing ~5 years into ownership were unfounded urban myths, and repriced accordingly.
> If there are supply chain issues, used prices can go up and over the list price.
The comment you're replying to isn't referring to list price, they're referring to the price of a new item.
Supply chain issues, as we saw during COVID, affect the cost of new items by making them effectively infinite: if there are only 100 new rowing machines available and 1000 people want them, then for 900 people, the list price of a new rowing machine is irrelevant because they can't actually buy it at that price.
Bug bounty programs are not the only (or even primary) way that security researchers get paid. Google pays employees salaries to find vulns. Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
If security researchers want to have stable employment doing this sort of work, there's oodles of job applications they can send out.
> Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
So, the value to the researcher of having a found bug has a floor of the black market value.
The value to Google is whatever the costs of exploitation are: reputational, cleanup, etc.
A sane value is somewhere between these two, depending on bargaining power, of course. Now, Google has all the bargaining power. On the other hand, at some point there's the point where you feel like you're being cheated and you'd rather just deal with the bad guys instead.
That's not true because there is an economic cost for most people to committing crimes. "Hey you could make more money selling that on the black market" is not going to convince me to sell something on the black market.
Bounty programs are very much not trying to compete with crime.
30 replies →
As mentioned by thread starter, you can also sell to some national security agency. That way, you're doing your patriotic duty and making a buck. So Google has an incentive to at least beat those offerings.
I think the right comparison to make here is art. The compensation floor is zero, and, in fact, that's what most vuln research pays.
Most other fields produce things that can be sold in the legal market - and so the value of those things can be determined by the market.
> and the price of any copyrighted good is bounded by the cost of transferring it over the network
It sure has worked out pretty much like this for music. The cost is not exactly zero, but pretty close to that.
>Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
What you’re saying can be seen as tautological. The reason a gray/black market exists is precisely because the field is undercompensating (aka in disequilibrium)
> Most other fields of endeavor aren’t compensated based on the black market value of the thing that’s being produced.
They're buying exclusive access to some information, which is a somewhat unusual thing to pay for.
News reporters do take spicy stories to tabloids, rather than the normal press, as the tabloids will pay more.
Yep, I came to the same conclusion. The payments from bug bounties and the uncertainty of payment just isn't worth it. It's like taking a fixed prize contract and adding in a gambling element to get paid. Fixed prized I learned was bad enough if you want to make anything as a software engineer. This is even worse though.
I mean, the technical skills in the article here are basic. But the first finding was significantly good luck, and having the background to know to look towards old Google services for the ID to email part was non-obvious. You would need a lot of high-quality, guiding knowledge like that to make bug bounties work. Still, seems like a very high starting cost.
They mentioned the grey market a couple time, although some of their examples did seem like applications that would be more useful for the black market.
Anyway, I’m not 100% sure what they meant by grey market. It looks like they were talking about maybe selling to “agencies” which, I guess, could include state intelligence agencies. If that’s what they meant, it wouldn’t be that surprising to find that the black market and grey market prices influence each other, right?
I mean we could ask our intelligence agencies why they are shopping in the same markets as criminals but I guess they will say something like “it is important that we <redacted> on the <redacted>, which will allow us to better serve the <redacted> and keep the <redacted> safe.”