Comment by duozerk
5 days ago
Maybe google is an exception (but then again, maybe that payout was part marketing to draw more researchers).
5 days ago
Maybe google is an exception (but then again, maybe that payout was part marketing to draw more researchers).
So is there anything that would actually satisfy crowd here?
Offer $25K and it is "How dare a trillion dollar company pay so little?"
Offer $250K and it is "Hmm. Exception! Must be marketing!"
What precisely is an acceptable number?
One is a lament that the industry average is so low, and the other is… a lament that the industry average is so low. What's the problem?
An increase in the average bug payout. Bounty programs pay low on average.
A number better than what the exploit could be sold for on the black market
I don't believe those numbers will ever come close to converging, let alone bounty prices surpassing black market prices.
It seems like these vulnerabilities will always be more valuable to people who can guarantee that their use will generate a return than to people who will use them to prevent a theoretical loss.
Beyond that, selling zero-days is a seller's market where sellers can set prices and court many buyers, but bug bounties are a buyer's market where there is only one buyer and pricing is opaque and dictated by the buyer.
So why would anyone ever take a bounty instead of selling on the black market? Risk! You might get arrested or scammed selling an exploit on the black market, black market buyers know that, so they price it in to offers.
6 replies →
You can work your day job and make $20-500k/yr or pursue drug dealing and make $5-5000k/yr. I don’t think that’s actually a compelling argument for the latter even if the opportunity cost is better.
1 reply →