[bracewel]

> paltry $15k

The tech/security community is crazy.

[malka]

No. YOu have to compare that number to how much you could get for that exploit on the black market. 15K seems cheap for a critical bug on a major platform.

[aianus]

For many qualified technical people, $15k + recognition is worth more than $500k + guilt + possible prison / looking over your shoulder for years.

[nostrebored]

Well the parent seemed to miss the point -- the real calculus is cost to the company if the exploit were to be used effectively, monetary benefit to the person who finds the bug, and the recognition you'd get in the blackhat community.

[Dwolb]

Yes the payout calc by company is cost to the company of an exploit, but with a repeated game scenario.

i.e. you can't look at the bug and payment in a vacuum, you have to factor in future bugs.

So the cost is the value to the company for the exploited bug if used properly plus the expected value of future bugs.

Which is weird, right? This shows companies can be internally incentivized to reduce bug bounty payments to show 'they are improving' when in fact, developers are leaving their bug bounty program.

[tptacek]

In virtually every case for these bug bounty programs, that number is zero dollars.

[acomjean]

Obligatory: "I'm going to write me a new minivan" or "lets hope this drives the right behavior" [1995]

http://dilbert.com/strip/1995-11-13

[dsacco]

To be clear, it's not all researchers who believe this. It's just an (annoyingly) vocal minority.