Comment by dig1
6 months ago
Sandbox escape with high-quality report in Chrome: $250k [1], yet Mozilla will offer you $20k [2] for that...
[1] https://bughunters.google.com/about/rules/chrome-friends/574...
[2] https://www.mozilla.org/en-US/security/client-bug-bounty/
According to Wikipedia, that's 0.012% of their net income. [0] While I'm being told in the comments that this is not the way to look at it, it means that this is, percentage wise, 50x the amount that Google is paying.
Sounds fine to me.
[0]: https://en.wikipedia.org/wiki/Mozilla_Corporation
//Edit: Had a typo in my percentage. 20.000 of 157.000.000 is, indeed, 0.012% - that makes it 50x the amount of Google's percentage.
If only they'd use a similar rubric to rein in their CEO comp[1].
[1]: https://news.ycombinator.com/item?id=24132168
Is their CEO comp not in line with the market?
7 replies →
But Chrome is paying more as a percentage of their browser units' income, no?
Virtually all of Mozilla's income comes from the browser (via the Google search agreement). The vast majority of Google's revenue comes from ad revenue on search, YouTube, and Adsense. Not from Chrome directly. So they had less incentive to reward its security, but did so anyway. And they also do some of the best work in the industry, free, for competitors via Project Zero.
The browser totally has zero to do with google ads. Totally no connection at all.
8 replies →
Do you pay a software engineer for their time based on your revenue or his skill?
Be somewhat competitive to what such developers could get on the black market. Discounting the ethics.
Surely a bug on Chrome is worth more than a bug on Firefox.
4 replies →
Mostly based on revenue - or at least that is the way we are going.
That is why you see equivalent skill levels being paid differently in big tech compared to other places.
And why you see millions in salaries at some big techs Ai hiring.
1 reply →
If you don't have the revenue, you don't pay them at all, because you don't actually employ them.
It's really no secret that higher revenue means higher potential pay/more devs...
Both - these are the two sides of the market, aka supply and demand.
>According to Wikipedia, that's 0.0012% of their net income.
How much of the Mozilla foundation's income goes into product development nowadays?
260 Mio. USD, as answered by the linked article, though the numbers only go up to 2023. So "nowadays" is a bit of a stretch.
Do you imply that it's not 5x, but 500x of what Google pays? /s
Chrome has 15-20 times the users that firefox in the blackmarket the bug would sell for similar ratio. Safari might go for more as it has more rich and tech security illiterate users.
disagree. more marketshare does not mean juicier targets, which, in this case, would be tor users. in addition, you don't buy an exploit to use it en masse, that would get it burned really quickly
More market share does in fact impact availability of targets, but in the case of Firefox it's just as much a factor that there are more bugs and exploits floating around.
Have you looked at the financial health of the one company vs the other? I am pretty sure Google is making more than 10x the money Mozilla is making.
It'd be fun to do a sketch that's a montage of an array of HN armchair quarterbacks rolling up their sleeves and taking short-lived shots at CEO for Mozilla.
Marching into the home office, kicking butt, and pointing at the whiteboard for their favorite pet project:
* Mozilla focusing on privacy
* Mozilla focusing on web standards
* Mozilla focusing on speed
* Mozilla (apparently, here) focusing on maximizing the size of payouts for bug bounties
Inspiring, Rocky-style music plays in the background.
In the foreground, a red line continuously traces slowly downward, with no perceivable relationship to the scenes in the montage.
The grey market also offers much less for Firefox vulnerabilities, for reasons of both supply and of demand.
* Compare income * Compare market share * Compare market share normalised by likelihood of attack yielding benefit, in short-- fx users would be power users probably more likely to have other ways to mitigate an attack
* Or basically just compare black market prices which already taken the above 3 into account
Tells you who is more serious about security. A quarter of $1M is a fair price for this type of bug.
Won't complain about that.
Just like you personally obviously don't care about your personal security when you do not pay a team of body guards 250k a year.
> Tells you who is more serious about security.
Yup, clearly Mozilla.
$250k is loose change for Google.
Really doesn't tell me piss all, as I'm not privy to their respective overall cash flow. Are you, considering you say it does for you?
Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously, by the way? Sounds a bit backwards to me.
What I call backwards is Mozilla paying their executives multi-millions of dollars for failure and the decline of Firefox.
Maybe had they ran the company competently, they could to afford to pay their engineers and offer larger bounties instead.
> Is monetary expenditure on vulnerability payouts really the primary determinent of who's taking security more seriously.
Many such researchers would rather sell their 0day to the black market if the effort + price offered is too low and not worth it. It is up to the vendor (Mozilla) to set a fair price to prevent that exploit from reaching the black market for a much higher price.
So given all the above, Mozilla is not serious.