← Back to context

Comment by UncleMeat

2 months ago

Bug bounty programs are not the only (or even primary) way that security researchers get paid. Google pays employees salaries to find vulns. Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.

If security researchers want to have stable employment doing this sort of work, there's oodles of job applications they can send out.

33 comments

UncleMeat

Reply
mlyle  2 months ago

> Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.

So, the value to the researcher of having a found bug has a floor of the black market value.

The value to Google is whatever the costs of exploitation are: reputational, cleanup, etc.

A sane value is somewhere between these two, depending on bargaining power, of course. Now, Google has all the bargaining power. On the other hand, at some point there's the point where you feel like you're being cheated and you'd rather just deal with the bad guys instead.

  • UncleMeat  2 months ago

    That's not true because there is an economic cost for most people to committing crimes. "Hey you could make more money selling that on the black market" is not going to convince me to sell something on the black market.

    Bounty programs are very much not trying to compete with crime.

    • scarby2  2 months ago

      It is a factor though. Most people will commit non-violent crime for a big enough pay off. Especially one where the individuals effected are hard to identify.

      If my bug bounty is $10,000 and I can sell it for $20,000 then most people will take the legitimate cash. If it's $10,000 and some black market trader will pay $10,000,000 (obviously exaggerating) then there's a whole mess of people are going to take the ten million.

      8 replies →

    • makeitdouble  2 months ago

      The reputation angle shouldn't be dismissed: Google paying so little for this bug is the whole reason this article stays on the top page and gets so much discussion.

      I don't know how much it should be worth, but at least there's a PR effect and it's also a message towards the dev community.

      I see it the same way ridiculously low penalty for massive data breaches taught us how much privacy is actually valued.

      3 replies →

    • fooker  2 months ago

      I wonder what your definition of crime is.

      Legally, in most places of the world it isn't.

      Morality differs among people too. Profiting off a trillion dollar company will not cross the line for a lot of people.

      7 replies →

    • mlyle  2 months ago

      Selling a bug is not a crime.

      > Bounty programs are very much not trying to compete with crime.

      Nor did my post posit this.

      Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.

      8 replies →

  • tanewishly  2 months ago

    As mentioned by thread starter, you can also sell to some national security agency. That way, you're doing your patriotic duty and making a buck. So Google has an incentive to at least beat those offerings.