Comment by mlyle
2 months ago
> Bounty programs are a pretty recent development and the idea that they should be scalable and stable well paying employment for a lot of people is a bit strange to me.
So, the value to the researcher of having a found bug has a floor of the black market value.
The value to Google is whatever the costs of exploitation are: reputational, cleanup, etc.
A sane value is somewhere between these two, depending on bargaining power, of course. Now, Google has all the bargaining power. On the other hand, at some point there's the point where you feel like you're being cheated and you'd rather just deal with the bad guys instead.
That's not true because there is an economic cost for most people to committing crimes. "Hey you could make more money selling that on the black market" is not going to convince me to sell something on the black market.
Bounty programs are very much not trying to compete with crime.
It is a factor though. Most people will commit non-violent crime for a big enough pay off. Especially one where the individuals effected are hard to identify.
If my bug bounty is $10,000 and I can sell it for $20,000 then most people will take the legitimate cash. If it's $10,000 and some black market trader will pay $10,000,000 (obviously exaggerating) then there's a whole mess of people are going to take the ten million.
Except it's not "legitimate cash" and that's the point.
* Are you talking to someone legitimately interested in purchasing and paying you, or is this a sting?
* If you're meeting up with someone in person, what is the risk that the person will bring payment or try to attack you?
* If you're meeting with someone in person, how do you use $20k in cash without attracting suspicion? How much time will that take?
* If it's digital, is the person paying you or are the funds being used to pay you clean or the subject of an active investigation? What records are there? If this person is busted soon will you be charged with a crime?
There are a lot of unknowns and a lot of risks, and most people would gladly take a clean $10k they can immediately put in the bank and spend anywhere over the hassle.
7 replies →
The reputation angle shouldn't be dismissed: Google paying so little for this bug is the whole reason this article stays on the top page and gets so much discussion.
I don't know how much it should be worth, but at least there's a PR effect and it's also a message towards the dev community.
I see it the same way ridiculously low penalty for massive data breaches taught us how much privacy is actually valued.
If Google doesn't have the best reputation of any large tech company for security, it's in the top 3. This is not the nightmare scenario for Google that people think it is. It's a large payout for this bug class, so, if anything, what we're doing here is advertising for them.
2 replies →
I wonder what your definition of crime is.
Legally, in most places of the world it isn't.
Morality differs among people too. Profiting off a trillion dollar company will not cross the line for a lot of people.
Most people have an intuitive sense to ask themselves questions like "If I do this, will someone be harmed, who, how much harm, what kind of harm, etc.", that factors into moral decisions.
Almost everyone, even people without a moral sense, have a self-preservation sense- "How likely is it that I will get caught? If I get caught, will I get punished? How bad will the punishment be?" and these factor into a personal risk decision. Laws, among having other purposes, are a convenient way to inform people ahead of time of the risks, in hopes of deterring undesirable behavior.
But most people aren't sociopaths and while they might make fuzzy moral decisions about low-harm low-risk activities, they will shy away from high-harm or high-risk activities, either out of moral sense or self preservation sense or both.
"Stealing from rich companies" is a just a cope. In the case of an exploit against a large company, real innocent people can be harmed, even severely. Exposing whistleblowers or dissidents has even resulted in death.
6 replies →
Selling a bug is not a crime.
> Bounty programs are very much not trying to compete with crime.
Nor did my post posit this.
Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.
Should this be true only for vulns, or all bugs? If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
Is there any evidence that OP feels that this payout was unfair?
1 reply →
How do you propose to calculate "the downside saved by eliminating the bug" - ideally in general, but I'd be curious to see if you could do it even for the specific bug discussed in this article.
5 replies →
As mentioned by thread starter, you can also sell to some national security agency. That way, you're doing your patriotic duty and making a buck. So Google has an incentive to at least beat those offerings.