Comment by mlyle
2 months ago
> I really think people just like to think about stories where someone like them finds a bug and gets a lottery jackpot as a result. I like that story too! It's fun.
P.S. a lot of time your writing comes off as having a smug tone that rubs me the wrong way.
Actually, I already won a small lottery jackpot doing security stuff. Then a large one doing security stuff. Then a small one again doing other stuff. I could have retired a couple of decades ago, but now I'm a schoolteacher for the funsies. My days of scrunching over IDA Pro for pennies are over: I've got no personal direct interest in whether research gets paid more or less.
I just think that bug bounties are a good thing, but by being underfunded and with uneven quality of administration a lot of the potential benefit is left on the table.
Sorry you feel that way, but I own it. You're welcome not to take me seriously. I know your background. But I think you've made some claims in this thread that are probably wrong.
You're free to disagree, but you don't need to do it with the snarky variant "I like that story too! It's fun." that's so easily misread on the internet.
You're right that I've not been involved in the grey market for awhile. And when I did, I was on the "advising sophisticated buyers" side of it, rather than trying to sell things.
I think our biggest point of disagreement is just on the notion that you can sell bugs like the one on this thread to brokers. I think we're directionally in similar places on Google and Apple. As I said: I know who you are; I'm not writing to you as if you're a rando who thinks logout CSRFs are worth big money.
2 replies →