[dopamean]

The circle jerk discussion about the rewards paid out by bug bounties on this site is getting ridiculous. It has been talked about ad nauseum and it seems that most people crying that the reward isn't high enough because "you could make so much more on the black market" don't actually know anything about how vulnerabilities are monetized on the black market.

[dang]

You're probably right, but this comment would be a lot better if it included information (e.g. about how the black market works) and dropped the slurs ("circle jerk", "crying").

[dopamean]

You're right. It was a bit of a knee jerk response to what I was reading in the comments.

[jrandm]

I'd be curious to know what those same folks think regular security staff should be paid.

From another thread here, the author talking about the time involved:

>Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.

I'll round his estimate up to 6-8 hours, or basically a normal work day:

$5000 / 8 = $625 an hour

$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually

Let's say it took an entire week's worth of time (comes out at $125/hour):

$5000 * 50 = $250,000

Is that range wildly out of line for what Facebook would potentially be paying for a full-time employee? The actual salary number would probably be lower, this would be including the cost taxes/insurance/perks/etc.

Even as a contractor, where the "expect to bill ~1000 hours a year" rule of thumb is/was common, puts the range at $125,000-$625,000.

Seems as though if you can reliably find organizations willing to pay these amounts and have the skill/luck/grit to grind out vulnerabilities at those companies you'll make a decent living. Or, put another way, these company's are paying bounties comparable to what the same research would have cost coming from a staff member.

[daraosn]

Why would you calculate hourly rate? I'd rather try to calculate the economic impact that this could have for the company, especially marketing costs to repair bad PR if something like private messages, pictures, info, etc. get breached. Do you think Facebook would spend $5,000 for that? Hell no, marketing budgets are in the magnitude of millions of dollars... I'm in no way supporting to exploit these vulnerabilities, and kudos to the OP (and many others) for finding these bugs and reporting to their companies instead of exploiting. I just think that big tech companies should pay bigger bounties.

[jrandm]

The hourly rate is to make an apples-to-apples comparison to someone whose full-time job is to do that kind of security work, either salaried or contracted.

Would it make sense to award bonuses to every in-house security researcher based on an estimated, hypothetical worst-case cost? It doesn't take much imagination to see how that reasoning applies to other positions. Do accountants get big bonuses for avoiding multi-million-dollar errors? Lawyers for avoiding costly lawsuits? Operations (IT and otherwise) for keeping infrastructure running? Customer service for assuaging disastrous public interactions? Stretched to absurdity, would you pay for a taxi based on how badly you need to get to point B?

I believe saying "preventing these kinds of problems (doing this work) is what we pay you for" is a reasonable conclusion and paying a market rate for that general value makes more sense versus calculating a kind of commission per individual contribution. That does have a certain appeal (and I wouldn't mind seeing a discussion about it) but I haven't gotten the impression that's the perspective of those who think all* bug bounties should be higher.

*: Added caveat as I'd bet every researcher can name companies that pay poorly

[tptacek]

$250k/yr is not at all a crazy number for someone who can reliably generate Facebook vulnerabilities from a black box cold start.

[zimbatm]

I don't think you can infer that all the researcher's finding would be critical bugs in one of the big companies (that pay well). It probably follows a normal distribution where most of the time it's non-critical bugs in medium-sized companies.

[danbolt]

I'd love to learn about how these sorts of vulnerabilities tend to get moneitized in black market settings.

Is there much reading available for that kind of thing?

[tptacek]

No, there isn't. Even the people who participate in the grey market for exploits (sales that aren't overtly prohibited by law and for which participation would be unlikely to make you an accessory to a felony) are very quiet about it.

But, a good starting point might be the analyses people have done on the Hacking Team leak.

[XMPPwocky]

What's your opinion on bug bounties for hosted applications v.s. bug bounties for actual pieces of software?

To me, the latter seem like a much more obviously good idea than the former. Notably, issues of somebody going out of scope- like the Facebook issue a while back- mostly disappear. Bounties on things like Chrome seem to be almost drama-free; the worst possible case, aside from somebody 0-daying a bug out of anger, is somebody not getting paid.

[rasz_pl]

I seem to remember Miller mentioning in passing he got paid ~50K per vuln (you can guess who paid it by looking up Millers past employers).

[dopamean]

I don't know much about it tbh. tptacek and a few others have spoken extensively about bug bounties on HN. I'll try and dig up a few of their past comments.

Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.

Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.

If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...

[Trundle]

What's more is there can't really be an established "market" for a unique exploit. If a product isn't being regularly traded then there's no easily findable pool of buyers. There's also no ongoing/repeat business which outside of contract law (and even for plenty of business conducted under contract) is all there is to keep people honest.

You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.

Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".

[awqrre]

> [...] that company will likely patch the bug very quickly.

I have heard many instances where it isn't the case (some bugs are often being exploited for months before the company finds out)... and you probably did too... but anyways, as an example, you don't need a lot of time to copy lots of data...

[parkaboy]

The Hacking Team hack had some interesting fallout... I believe the article below was posted on HN a while ago: [Edit, just saw tptacek's comment]

https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/

https://www.wired.com/2015/07/hacking-team-leak-shows-secret...

[flylib]

I think people on HN are underestimating the tabloid market and previous prices paid for photos https://en.wikipedia.org/wiki/List_of_most_expensive_celebri..., TMZ regularly pays out 5k for photos/videos, selling to them is the hard part and not getting caught in some type of undercover sting during the process is why most people will take the bounty

[tptacek]

Every time this topic comes up, someone brings up the "market" for stolen photographs. For a site so interested in startups, we sure don't like to think like businesspeople when it comes to this topic.

Think about the steps required to acquire and monetize stolen photographs from Facebook accounts. Only a few of those steps involve Facebook vulnerabilities, just like only a few of the steps involving building a software company involve actually writing software.

But in order for that business to work at all, it needs a steady supply of Facebook vulnerabilities; all the work setting up a sales channel for photos, in reconnoitering accounts to figure out which ones to raid for photos, in determining what the prices for photos should be, in scouting out new customers for photos, and most of all providing OPSEC for a ridiculously risky criminal venture, all of it is at a standstill until someone (a) sells them a vulnerability and (b) shows them how to pivot that flaw to acquiring photographs.

Nobody is running that business, ready to receive Facebook CSRFs (or even serverside RCEs) so they can get another few weeks of Facebook photo-snarfing in. One way you know that is that when celebrity photos are stolen in phishing attacks, it's a major news story.

Vulnerabilities that command high prices on the black market do so because they slot into already-existing criminal enterprises. If the enterprise does not yet exist, the vulnerability is worth zero.

[argonaut]

Buying stolen property is a crime. TMZ would be committing a crime if they bought photos from hackers. Doing that would be the end of TMZ.

[flylib]

they already have precedent for buying illegally obtained footage and nothing happened to them

http://pagesix.com/2014/05/15/employee-who-leaked-solange-ja... http://www.newyorker.com/magazine/2016/02/22/inside-harvey-l...

they would be more worried about a gawker/hulk hogan like lawsuit then getting criminally prosecuted

[argonaut]

IANAL, but the first link does not support that conclusion. It is not made clear whether that employee was in fact committing theft and selling stolen goods to TMZ (the hotel threatens to press charges (what charges?) on the employee but did those charges actually go through?).

Furthermore, nothing happening in one case != okay to do whatever you want. I guarantee you TMZ has a team of lawyers that makes sure they stay on the right side of the fine line of plausible deniability.

[daraosn]

I posted below (and got hardly and irrationally downvoted) that $5,000 is a joke. And your comment and others don't change my mind. A CSRF vulnerability, looking forward to reading a post on a SQL Injection next time.. I worked doing bots on my school days when I was a kid, and I saw the gray/black market can be unfortunately extremely profitable. $5,000 is nothing, we're not talking about a little startup here, it's Facebook, and they do have resources. Have you ever seen nasty content on Facebook on your wall, been spammed or even hacked? It's because of these kind of vulnerabilities get breached. Of course they can happen, but $5,000 is nothing considering the economic impact that can have if someone exploits it badly. A PR campaign to fix a mess wouldn't cost a few thousands, rather a few millions. Again: kudos to the OP for posting this and doing things the right way (reporting to facebook), but again, sadly good developers are getting underpriced...

PS: and by the way, I'm in no way circle jerking, this is not reddit, I'm here for a serious discussion on the topic.

[tptacek]

As I said downthread, Facebook was the highest bidder for this interaction-required CSRF bug; the next-highest bidder would probably be $50.

There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives.

A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself.

[raverbashing]

The price is not only what you can get on the black market, but it's also considering:

- How likely it is for someone else to find it (even internally)

- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing

[daraosn]

True, but it's also:

- How much would it cost to repair the trust of the users if the breach occurs. PR, marketing, organizational costs

Do you think a big company would pay $5k for a PR campaign to fix a mess due to a breach of private data? Not remotely.

[raverbashing]

It's always a question of probability: expected cost x expected probability gives you the end cost

You don't lock a $1000 bike with an $1000 lock, maybe with a $100 lock though