Comment by mlyle
2 months ago
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
Increasing bounties by a small factor will be enough to reduce things on the grey market and to increase the ROI of people choosing to do freelance security research. The time between payoffs is enough that no one is going to get rich from $150k bounties.
Don't forget the extrinsic benefits: easier to brag about bounties on your resume than selling things into the grey market.
> Smart companies running bug bounties --- Google is probably the smartest --- are using them like engineering tools; both to direct attention on specific parts of their codebase, and, just as importantly, as an internal tool to prioritize work.
These "smart" companies should consider just how cheap even higher bounties are to prevent massive downsides. Of course, an underlying problem is how well these companies have insulated themselves from the consequences of writing and not fixing vulnerable software. A sane liability (and insurance) regime would go a long way towards aligning incentives properly.
From conversations with people who participate in the grey market today and conversations with people involved in large-scale bounties, I think everybody believes that payouts for high-value exploits (and thus bounty payoffs for high-value POCs) are going to climb, probably rapidly, so the thing you want is a thing I expect to happen, and am happy is happening.
Where we differ is the long-term impact of those increasing costs. I don't think market competition is going to meaningfully improve security. Things like swapping out components for memory-safe replacements, hardening runtimes, and deprecating ancient protocols and formats have, though, and will continue to pay off. So I'm optimistic, just for a different reason than you are.
> I don't think market competition is going to meaningfully improve security.
I think the things you describe all have long-term wins but may worsen the short-term picture. Sure, using better tools is good, but younger code is riskier for its own reasons.
Bounties are a great short to intermediate strategy. There's code that's used today, and this is the way to get some near-term outside effort towards making it better (and these sentinel events can provide guidance on where to spend inside effort as you say).
And, of course, if software engineering growing up means we actually get fewer bugs, bounties become even more worthwhile: any issues found will remove a bigger proportion of total vulnerability.
I hear that concern a lot, about younger code, but I think that misapprehends the situation. New code will bring new bugs, but only specific kinds of bugs have real market value. I think we're on a trajectory towards those marketable bugs having something like a vintage.
I see bounties as an engineering tool more than anything else. For the reason I provided upthread, I don't think it's likely that they're going to alter market dynamics. I don't have a really strong basis to claim this; it's just a conclusion I'm drawing from the incentives at play. I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work, I think the sums we're transacting in today are clearly enough to accomplish that, and regardless of whether you agree there, we both agree that those sums are set to increase.
4 replies →