Comment by nightpool
2 months ago
> The dollar value of a responsible report going up means more responsibility overall and less problem leaks, exploits, etc.
Does it? I just had a bug bounty program denied for budget approval at my work because of the cost of the bounties and the sufficiency of our existing security program. On the margins, it's not clear to me that the dollar value of a report going up is incentivizing better reports vs pricing smaller companies out of the market.
This is a great point and I did not really think of this in the above statement.
It may work kind of how employment works, where Google can afford to pay more than a company that cannot afford a 10k bounty.
Google paying a 10k bounty is the equivalent of the bottom 10% of earners in the US paying a 6th(napkin math) of a soon to be discontinued penny.
Regardless, you are correct that the calculation is not obvious, unlike how I presented it. Preferably, things like multiple million character titles are handled correctly and no bounty is paid at all. I expect a smaller company to have an easier time here as well, lessening the financial burden.
> I expect a smaller company to have an easier time here as well, lessening the financial burden.
Why would you expect that? In a smaller company the ratio of developers to HTTP endpoints tends to be substantially lower (fewer devs per feature) than in a large company, so I'd expect the opposite.