Comment by tptacek
2 months ago
No, it's not. CNE is shockingly effective, both for organized crime and for the international IC. The productivity wins are so great there is enormous space for the market prices of tradable vulnerabilities to increase; maybe even multiple orders of magnitude. We're not going to disrupt that process with bug bounties.
I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work. This is part of why we keep having stories where we're shocked about people finding oddball security- and security-adjacent bugs that get zero payouts.
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Increasing bounties by a small factor will be enough to reduce things on the grey market and to increase the ROI of people choosing to do freelance security research. The time between payoffs is enough that no one is going to get rich from $150k bounties.
Don't forget the extrinsic benefits: easier to brag about bounties on your resume than selling things into the grey market.
> Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work.
These "smart" companies should consider just how cheap even higher bounties are to prevent massive downsides. Of course, an underlying problem is how well these companies have insulated themselves from the consequences of writing and not fixing vulnerable software. A sane liability (and insurance) regime would go a long way towards aligning incentives properly.
From conversations with people who participate in the grey market today and conversations with people involved in large-scale bounties, I think everybody believes that payouts for high-value exploits (and thus bounty payoffs for high-value POCs) are going to climb, probably rapidly, so the thing you want is a thing I expect to happen, and am happy is happening.
Where we differ is the long-term impact of those increasing costs. I don't think market competition is going to meaningfully improve security. Things like swapping out components for memory-safe replacements, hardening runtimes, and deprecating ancient protocols and formats have, though, and will continue to pay off. So I'm optimistic, just for a different reason than you are.
> I don't think market competition is going to meaningfully improve security.
I think the things you describe all have long-term wins but may worsen the short-term picture. Sure, using better tools is good, but younger code is riskier for its own reasons.
Bounties are a great short to intermediate strategy. There's code that's used today, and this is the way to get some near-term outside effort towards making it better (and these sentinel events can provide guidance on where to spend inside effort as you say).
And, of course, if software engineering growing up means we actually get fewer bugs, bounties become even more worthwhile: any issues found will remove a bigger proportion of total vulnerability.
5 replies →
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
P.S. a lot of time your writing comes off as having a smug tone that rubs me the wrong way.
Actually, I already won a small lottery jackpot doing security stuff. Then a large one doing security stuff. Then a small one again doing other stuff. I could have retired a couple of decades ago, but now I'm a schoolteacher for the funsies. My days of scrunching over IDA Pro for pennies are over: I've got no personal direct interest in whether research gets paid more or less.
I just think that bug bounties are a good thing, but by being underfunded and with uneven quality of administration a lot of the potential benefit is left on the table.
Sorry you feel that way, but I own it. You're welcome not to take me seriously. I know your background. But I think you've made some claims in this thread that are probably wrong.
You're free to disagree, but you don't need to do it with the snarky variant "I like that story too! It's fun." that's so easily misread on the internet.
You're right that I've not been involved in the grey market for awhile. And when I did, I was on the "advising sophisticated buyers" side of it, rather than trying to sell things.
3 replies →