Comment by gusgus01
3 days ago
How do we know the incentive is to pay out bounties? And how do we know that doesn't change on the whims of the management chain?
We don't "know" anything unless we are at that company in particular and part of the management conversations. We at best can theorize based on incentives, but that's assuming companies and people are logical, which is a large assumption. I could easily see someone in the midst of layoffs and reduction of overhead initiatives thinking that the solution is to convince everyone you do payouts, but actually minimize payouts, which you could do by creatively using scopes.
You're right. AMD could for some reason be unlike every other major tech company that runs a bug bounty. Maybe AMD stood up a public bounty where people get their pay docked when bounties get paid, rather than perfed up. They would potentially save, say, 0.000289% of their annual revenue, in exchange for stories like these. Checks out.
I'm not claiming to know how any major tech company runs their bug bounty program. I'm actually trying to claim that we can't know how AMD (or any of them) do, we can merely express our opinions on it. We can discuss all the public incentives they may have (and our interpretations on how those incentives should play out), but we don't see the internal bureaucratic incentives or the personal incentives or etc etc etc.
We also regularly see how the incentives we see as outsiders (and somewhat insiders) are regularly perverted. For the VW emissions scandal someone could have argued that the incentives were plain and clear, "Design better engines", but they instead went with "Design better ways to scam the tests". This is on top of the way companies will mask their true incentives, like how renewable energy programs are sometimes actually just the smart financial decision but it'll be portrayed as part of the green movement.
To include some explicit personal opinion, I can't throw a stone without hitting a news story about a company that thought they could get away with something but then eventually got called out by it... and they ultimately still got away with it.
This is not the VW emissions scandal.
1 reply →