← Back to context

Comment by tptacek

2 months ago

I hear that concern a lot, about younger code, but I think that misapprehends the situation. New code will bring new bugs, but only specific kinds of bugs have real market value. I think we're on a trajectory towards those marketable bugs having something like a vintage.

I see bounties as an engineering tool more than anything else. For the reason I provided upthread, I don't think it's likely that they're going to alter market dynamics. I don't have a really strong basis to claim this; it's just a conclusion I'm drawing from the incentives at play. I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work, I think the sums we're transacting in today are clearly enough to accomplish that, and regardless of whether you agree there, we both agree that those sums are set to increase.

4 comments

tptacek

Reply
mlyle  2 months ago

> I think we're on a trajectory towards those marketable bugs having something like a vintage.

I'm reminded of when we really systematically started treating temporary names correctly and thought security was going to be so much better.

I think there's no shortage of bugs and exploitation scenarios. We'll eliminate the easiest to exploit and most common mistakes, but there will be yet more.

> I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work

I think it makes it easier for those who work with grey market brokers to "go legit", too. Even if bounties can't win on price, this doesn't mean they can't win people over.

Of course, the fact that they can't win on price is a market oddity. Exploitation causes net economic harm; it's a negative-sum proposition. The only reason why software vendors can't outbid the criminals is because the software vendors don't pay the actual losses. I'm hoping this changes some over time.

> we both agree that those sums are set to increase.

I don't/didn't know that's true, but that's welcome news if true.

  • tptacek  2 months ago

    If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities. There's a myriad of different vulnerabilities and new bug classes announced with fanfare every year at Black Hat and the Big Four conferences, but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.

    • mlyle  2 months ago

      > If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities.

      More like mid-80's with effects dragging on to mid-90's.

      There was never a market back then at all. ;) The point is, many confidently announced that all the easy to exploit stuff in Unix was being fixed and soon security was going to be less of a problem.

      > but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.

      Yes, but that doesn't stay the same if the low hanging fruit dries up as you posit. The level of sophistication of both exploit writers and exploit consumers will have to climb, but we're nowhere near the ceiling of the skills and effort that crime and intelligence can pay for.

      1 reply →