Comment by iinnPP
2 months ago
It isn't always about money, even when that is the stated problem.
The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
I would be equally happy to see any solution where the end result is increased security and privacy for everyone, even at zero bounty.
The problem being overlooked is that the actual cost of these exploits and bugs is paid by the people who had no say whatsoever in any matter regarding the issue. Any time a company is being "cheap" at the expense of regular people is a bad time, from my perspective.
Google has the power to limit the exposure of the people who use there products (and this isn't always voluntary exposure mind you) and is choosing to profit a teeny tiny bit more instead. At no immediately obvious cost to them, why not?
> The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
Does it? I just had a bug bounty program denied for budget approval at my work because of the cost of the bounties and the sufficiency of our existing security program. On the margins, it's not clear to me that the dollar value of a report going up is incentivizing better reports vs pricing smaller companies out of the market.
This is a great point and I did not really think of this in the above statement.
It may work kind of how employment works, where Google can afford to pay more than a company that cannot afford a 10k bounty.
Google paying a 10k bounty is the equivalent of the bottom 10% of earners in the US paying a 6th(napkin math) of a soon to be discontinued penny.
Regardless, you are correct that the calculation is not obvious, unlike how I presented it. Preferably, things like multiple million character titles are handled correctly and no bounty is paid at all. I expect a smaller company to have an easier time here as well, lessening the financial burden.
> I expect a smaller company to have an easier time here as well, lessening the financial burden.
Why would you expect that? In a smaller company the ratio of developers to HTTP endpoints tends to be substantially lower (fewer devs per feature) than in a large company, so I'd expect the opposite.