Comment by mlyle
2 months ago
Selling a bug is not a crime.
> Bounty programs are very much not trying to compete with crime.
Nor did my post posit this.
Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.
Should this be true only for vulns, or all bugs? If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
Is there any evidence that OP feels that this payout was unfair?
> If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
No, but Google should understand that if they give a token payment, people will be less likely to help in future situations like this. And might be inclined to just instead tell ad buyers about the loophole quietly.
How do you propose to calculate "the downside saved by eliminating the bug" - ideally in general, but I'd be curious to see if you could do it even for the specific bug discussed in this article.
Organizations price future, nebulous things all the time.
Imagine a possible downside or two, imagine a probable risk, multiply, discount.
Sure, but give some specific values. What potential damages and potential risk multiply to more than $10k?
3 replies →