[rl3]

>I think $5,000 is a joke, this is a serious vulnerability...

I tend to agree. They should probably add a zero to that.

Obviously $5,000 is a lot of money, but not to Facebook, and especially not in the context of fixing serious vulnerabilities on a platform that has 1.65B users.

If Facebook paid more they'd enhance their security in the process, at the cost of what amounts to chump change for them.

[MichaelGG]

Maybe. But for anyone to make money off it, they'd need to be willing to be or work with a criminal, right? If they are getting work done for the amounts paid, why pay higher?

[pilsetnieks]

If you're working on Facebook security, is that a bet you're willing to take?

People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.

At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?

[MichaelGG]

> If you're working on Facebook security, is that a bet you're willing to take?

Apparently so. That's what they're offering and paying. The entity that most benefits from FB security is FB, and they seem to be OK doing this.

[jonknee]

> If they are getting work done for the amounts paid, why pay higher?

To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?

[argonaut]

95% of people are incentivized enough to not sell to hackers by the incentive of not becoming a criminal.

[wildmusings]

I don't believe it's illegal to sell vulnerabilities.

[jonknee]

Governments also buy zero days.

[sbarre]

Sure just walk into an embassy with a Flash drive, I'm sure they've got sacks of doubloons in a basement safe just waiting for someone like you..

[corobo]

If anything it's to give people the incentive to actually flesh out a bug report and send it to them. I really have no idea where everyone's getting this "The black market will pay billions!" idea from.

Facebook is a closed system, an exploit there is worth precisely nada. Any use of it for monetary gain will be shut down fast and probably audit-logged to find you. Find an exploit kernel-level that allows you to execute any command you want at any administrative level on Windows/Linux/etc which allows people to drastically increase their botnet size? That'll get you some cheese.

[conradk]

I guess the reasoning would be that some hackers probably have found vulnerabilities they'd rather sell on the black market for 50K than sell to Facebook for 5K.

[MichaelGG]

Who is paying 50k for these things? A while back the Hacking Team dumps showed very low prices. Zero days in widespread desktop systems were like 100k. Why would a remote service flaw that can be fixed at a moment's notice be worth much more?

How do you recoup 50k on FB? Not a theoretical "I'll hack Tom Cruises' pictures and blackmail him" but an actual demonstrated business model.

[rl3]

If it's a government buying the exploit, they wouldn't care about recouping the cost. Hence why a large sum is feasible.

[MichaelGG]

Didn't the HT leaks show vulns that'd be sold to anyone? An online service hack just wouldn't command the same pricing. Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?

Also note that the majority of government entities can just legally request information.

[rl3]

>Is there any source/docs to indicate the e.g. NSA pays $50K for this kind of vuln?

If anything smaller governments without in-house vulnerability research would be more willing to pay large amounts.

>Also note that the majority of government entities can just legally request information.

The kind of governments that would be interested in exploiting Facebook probably aren't the kind that could legally request the information in the first place.