[jrandm]

I'd be curious to know what those same folks think regular security staff should be paid.

From another thread here, the author talking about the time involved:

>Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.

I'll round his estimate up to 6-8 hours, or basically a normal work day:

$5000 / 8 = $625 an hour

$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually

Let's say it took an entire week's worth of time (comes out at $125/hour):

$5000 * 50 = $250,000

Is that range wildly out of line for what Facebook would potentially be paying for a full-time employee? The actual salary number would probably be lower, this would be including the cost taxes/insurance/perks/etc.

Even as a contractor, where the "expect to bill ~1000 hours a year" rule of thumb is/was common, puts the range at $125,000-$625,000.

Seems as though if you can reliably find organizations willing to pay these amounts and have the skill/luck/grit to grind out vulnerabilities at those companies you'll make a decent living. Or, put another way, these company's are paying bounties comparable to what the same research would have cost coming from a staff member.

[daraosn]

Why would you calculate hourly rate? I'd rather try to calculate the economic impact that this could have for the company, especially marketing costs to repair bad PR if something like private messages, pictures, info, etc. get breached. Do you think Facebook would spend $5,000 for that? Hell no, marketing budgets are in the magnitude of millions of dollars... I'm in no way supporting to exploit these vulnerabilities, and kudos to the OP (and many others) for finding these bugs and reporting to their companies instead of exploiting. I just think that big tech companies should pay bigger bounties.

[jrandm]

The hourly rate is to make an apples-to-apples comparison to someone whose full-time job is to do that kind of security work, either salaried or contracted.

Would it make sense to award bonuses to every in-house security researcher based on an estimated, hypothetical worst-case cost? It doesn't take much imagination to see how that reasoning applies to other positions. Do accountants get big bonuses for avoiding multi-million-dollar errors? Lawyers for avoiding costly lawsuits? Operations (IT and otherwise) for keeping infrastructure running? Customer service for assuaging disastrous public interactions? Stretched to absurdity, would you pay for a taxi based on how badly you need to get to point B?

I believe saying "preventing these kinds of problems (doing this work) is what we pay you for" is a reasonable conclusion and paying a market rate for that general value makes more sense versus calculating a kind of commission per individual contribution. That does have a certain appeal (and I wouldn't mind seeing a discussion about it) but I haven't gotten the impression that's the perspective of those who think all* bug bounties should be higher.

*: Added caveat as I'd bet every researcher can name companies that pay poorly

[tptacek]

$250k/yr is not at all a crazy number for someone who can reliably generate Facebook vulnerabilities from a black box cold start.

[zimbatm]

I don't think you can infer that all the researcher's finding would be critical bugs in one of the big companies (that pay well). It probably follows a normal distribution where most of the time it's non-critical bugs in medium-sized companies.