Comment by mlyle
2 months ago
I'm not a SWE anymore and haven't been one for a long time.
I think it's in everyone's interest for bug bounties to be higher than harmful markets for the same bug, and a decent fraction of the harms they prevent. That's what is going to result in the economically efficient amount of bug hunting. And it's going to result in a safer world with less cybercrime.
No, it's not. CNE is shockingly effective, both for organized crime and for the international IC. The productivity wins are so great there is enormous space for the market prices of tradable vulnerabilities to increase; maybe even multiple orders of magnitude. We're not going to disrupt that process with bug bounties.
I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work. This is part of why we keep having stories where we're shocked about people finding oddball security- and security-adjacent bugs that get zero payouts.
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Increasing bounties by a small factor will be enough to reduce things on the grey market and to increase the ROI of people choosing to do freelance security research. The time between payoffs is enough that no one is going to get rich from $150k bounties.
Don't forget the extrinsic benefits: easier to brag about bounties on your resume than selling things into the grey market.
> Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work.
These "smart" companies should consider just how cheap even higher bounties are to prevent massive downsides. Of course, an underlying problem is how well these companies have insulated themselves from the consequences of writing and not fixing vulnerable software. A sane liability (and insurance) regime would go a long way towards aligning incentives properly.
From conversations with people who participate in the grey market today and conversations with people involved in large-scale bounties, I think everybody believes that payouts for high-value exploits (and thus bounty payoffs for high-value POCs) are going to climb, probably rapidly, so the thing you want is a thing I expect to happen, and am happy is happening.
Where we differ is the long-term impact of those increasing costs. I don't think market competition is going to meaningfully improve security. Things like swapping out components for memory-safe replacements, hardening runtimes, and deprecating ancient protocols and formats have, though, and will continue to pay off. So I'm optimistic, just for a different reason than you are.
6 replies →
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
P.S. a lot of time your writing comes off as having a smug tone that rubs me the wrong way.
Actually, I already won a small lottery jackpot doing security stuff. Then a large one doing security stuff. Then a small one again doing other stuff. I could have retired a couple of decades ago, but now I'm a schoolteacher for the funsies. My days of scrunching over IDA Pro for pennies are over: I've got no personal direct interest in whether research gets paid more or less.
I just think that bug bounties are a good thing, but by being underfunded and with uneven quality of administration a lot of the potential benefit is left on the table.
Sorry you feel that way, but I own it. You're welcome not to take me seriously. I know your background. But I think you've made some claims in this thread that are probably wrong.
4 replies →