Comment by tptacek
2 months ago
From conversations with people who participate in the grey market today and conversations with people involved in large-scale bounties, I think everybody believes that payouts for high-value exploits (and thus bounty payoffs for high-value POCs) are going to climb, probably rapidly, so the thing you want is a thing I expect to happen, and am happy is happening.
Where we differ is the long-term impact of those increasing costs. I don't think market competition is going to meaningfully improve security. Things like swapping out components for memory-safe replacements, hardening runtimes, and deprecating ancient protocols and formats have, though, and will continue to pay off. So I'm optimistic, just for a different reason than you are.
> I don't think market competition is going to meaningfully improve security.
I think the things you describe all have long-term wins but may worsen the short-term picture. Sure, using better tools is good, but younger code is riskier for its own reasons.
Bounties are a great short to intermediate strategy. There's code that's used today, and this is the way to get some near-term outside effort towards making it better (and these sentinel events can provide guidance on where to spend inside effort as you say).
And, of course, if software engineering growing up means we actually get fewer bugs, bounties become even more worthwhile: any issues found will remove a bigger proportion of total vulnerability.
I hear that concern a lot, about younger code, but I think that misapprehends the situation. New code will bring new bugs, but only specific kinds of bugs have real market value. I think we're on a trajectory towards those marketable bugs having something like a vintage.
I see bounties as an engineering tool more than anything else. For the reason I provided upthread, I don't think it's likely that they're going to alter market dynamics. I don't have a really strong basis to claim this; it's just a conclusion I'm drawing from the incentives at play. I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work, I think the sums we're transacting in today are clearly enough to accomplish that, and regardless of whether you agree there, we both agree that those sums are set to increase.
> I think we're on a trajectory towards those marketable bugs having something like a vintage.
I'm reminded of when we really systematically started treating temporary names correctly and thought security was going to be so much better.
I think there's no shortage of bugs and exploitation scenarios. We'll eliminate the easiest to exploit and most common mistakes, but there will be yet more.
> I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work
I think it makes it easier for those who work with grey market brokers to "go legit", too. Even if bounties can't win on price, this doesn't mean they can't win people over.
Of course, the fact that they can't win on price is a market oddity. Exploitation causes net economic harm; it's a negative-sum proposition. The only reason why software vendors can't outbid the criminals is because the software vendors don't pay the actual losses. I'm hoping this changes some over time.
> we both agree that those sums are set to increase.
I don't/didn't know that's true, but that's welcome news if true.
3 replies →