Comment by kccqzy
2 months ago
I hate how this HN thread is mostly about discussing the amount of bounty, but I'm afraid it's only natural. Most commenters here are working in the software industry and they want to normalize extremely high bounties. It's an extra income source for them. They want higher bug bounties much like they want SWEs to be a highly compensated profession. It's only natural for workers to demand higher pay for their own profession. No amount of rationalization will change that instinct.
It isn't always about money, even when that is the stated problem.
The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
I would be equally happy to see any solution where the end result is increased security and privacy for everyone, even at zero bounty.
The problem being overlooked is that the actual cost of these exploits and bugs is paid by the people who had no say whatsoever in any matter regarding the issue. Any time a company is being "cheap" at the expense of regular people is a bad time, from my perspective.
Google has the power to limit the exposure of the people who use there products (and this isn't always voluntary exposure mind you) and is choosing to profit a teeny tiny bit more instead. At no immediately obvious cost to them, why not?
> The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
Does it? I just had a bug bounty program denied for budget approval at my work because of the cost of the bounties and the sufficiency of our existing security program. On the margins, it's not clear to me that the dollar value of a report going up is incentivizing better reports vs pricing smaller companies out of the market.
This is a great point and I did not really think of this in the above statement.
It may work kind of how employment works, where Google can afford to pay more than a company that cannot afford a 10k bounty.
Google paying a 10k bounty is the equivalent of the bottom 10% of earners in the US paying a 6th(napkin math) of a soon to be discontinued penny.
Regardless, you are correct that the calculation is not obvious, unlike how I presented it. Preferably, things like multiple million character titles are handled correctly and no bounty is paid at all. I expect a smaller company to have an easier time here as well, lessening the financial burden.
1 reply →
I'm not a SWE anymore and haven't been one for a long time.
I think it's in everyone's interest for bug bounties to be higher than harmful markets for the same bug, and a decent fraction of the harms they prevent. That's what is going to result in the economically efficient amount of bug hunting. And it's going to result in a safer world with less cybercrime.
No, it's not. CNE is shockingly effective, both for organized crime and for the international IC. The productivity wins are so great there is enormous space for the market prices of tradable vulnerabilities to increase; maybe even multiple orders of magnitude. We're not going to disrupt that process with bug bounties.
I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work. This is part of why we keep having stories where we're shocked about people finding oddball security- and security-adjacent bugs that get zero payouts.
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Increasing bounties by a small factor will be enough to reduce things on the grey market and to increase the ROI of people choosing to do freelance security research. The time between payoffs is enough that no one is going to get rich from $150k bounties.
Don't forget the extrinsic benefits: easier to brag about bounties on your resume than selling things into the grey market.
> Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work.
These "smart" companies should consider just how cheap even higher bounties are to prevent massive downsides. Of course, an underlying problem is how well these companies have insulated themselves from the consequences of writing and not fixing vulnerable software. A sane liability (and insurance) regime would go a long way towards aligning incentives properly.
7 replies →
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
P.S. a lot of time your writing comes off as having a smug tone that rubs me the wrong way.
Actually, I already won a small lottery jackpot doing security stuff. Then a large one doing security stuff. Then a small one again doing other stuff. I could have retired a couple of decades ago, but now I'm a schoolteacher for the funsies. My days of scrunching over IDA Pro for pennies are over: I've got no personal direct interest in whether research gets paid more or less.
I just think that bug bounties are a good thing, but by being underfunded and with uneven quality of administration a lot of the potential benefit is left on the table.
5 replies →
SWE comp is weird in that typically it is zero (see what's on Github!) often it us middle class and sometimes it is small scale CEO (as in the actual job not a founder) level.
I guess bounties fit into the framework somewhere between the Github and middle class engineer.
I think it comes down to supply and demand. It also shows you what Google would pay employees if things were in their favour. On unrelated news, a tech billionaire is almost defacto VP of the US.
When bug bounties are priced low, it also irks those among us who care about security — for the sake of the organizations we work for, for the sake of our end users, and for the sake of the world at large.
[flagged]
You say greed but I would wager that most people in the thread are not financially independent. If someone can't retire from needing money in perpetuity, is it really greed to want to move that needle from "no" closer to "yes"?
Or even just the next meal. We don't know their situation, and I've heard quite a few stories of the tech-adept being on the streets or behind bars. Some amount of greed is normal. It's when goes way beyond that, into averice that it's a problem.