[K0nserv]

The concern with the low payout is that it's supposed to be a way to compensate white hat hackers and dissuaded them from going to the black market with security problems like this. Given the business that LastPass is in wouldn't you agree that it's extremely crucial they make sure white hat hackers are aptly compensated for serious problems they find? In fact I'd think it'd be reasonable for them to pay more than Facebook for certain classes of bugs(like this one). After all all your passwords are more valuable than your Facebook account.

[tptacek]

No, that is not at all what a bug bounty is meant to do. We are not expected to pay people to avoid them launching criminal conspiracies against us.

The purpose of a bug bounty is to incentivize researchers to target specific pieces of software so that vendors can benefit from that attention.

[jontas]

Let's assume that there is a spectrum of honesty (say, from 1-10) and the pool of people capable of discovering vulnerabilities in your product includes people from the entire range.

If you're a 10 you will disclose responsibly regardless of a bounty, and if you're a 1 you will disclose to the highest bidder. The rest will weight profit, ethics, and risk in some ratio depending on where they fall on the scale and decide to act based on that calculation.

The company has to price their bounty on a few factors: how much they can afford to pay, how much a bug is worth to them (eg damage to their reputation, fines in the event of a vulnerability), and how important it is and to have researchers looking at their product instead of another product.

I agree with you that companies should not be required to pay people to prevent them from launching criminal conspiracies. But this is not a perfect world and people are not so black and white in their actions and motivations. There is no point trying to optimize your bounty program for the 1's or the 10's. Therefore, when optimizing for the rest it makes sense to pay as much as possible within the constraints I mentioned (in the previous paragraph) in order to tip the scales in your favor for the largest part of the spectrum possible. Right now the tech community knows about this problem with LastPass. If this exploit had made it to the wild things would've been much worse for them from a PR perspective.

I am hoping that the $1000 cap on the bounty program came from careful consideration of these factors, but my gut tells me it was a number handed down from management.

[Houshalter]

The point is to get more tens to even look at the code, not encourage people that have already found vulnerabilities to share them. I also think you vastly overestimate the percentage of criminals.

[K0nserv]

I think it's a bit of bucket A and bit of bucket B. Still even if one accept the definition you put forth the argument that having such low bounties makes LastPass look bad/like they're not caring is still valid.

[tptacek]

No, it is not at all "bucket A" and "bucket B", and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market". Finding interesting vulnerabilities in software makes you clever and talented, not sociopathic.

[lkbm]

> and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market".

No, suggesting otherwise is saying that a bounty program with high enough rewards can reach both legitimate security researchers and sketchy folks. This is in no way a slight on the first group.

[tptacek]

So the people on this thread saying that this particular researcher didn't get paid enough to "do the right thing" just mean that this person seems a little sketchy?

[djrogers]

Clearly not - merely that this bug could just as easily have been discovered by someone 'a little sketchy' and $1000 wouldn't be a big enough reward to skip setting up a watering hole or two for lulz.

[cloudjacker]

What he's saying is "raise the bid"

Your rationale would be a valid rebuttal in your world no matter what the amounts in question were. $500? Incentive! $50? Incentive!

[tptacek]

This is a non-sequitur response to my comment, whose whole purpose is to point out that a bug bounty is not a bid in an auction against organized crime.

[cloudjacker]

You wish it was a non sequitur when it is completely relevant

We can agree to disagree because the perspective really wasn't for you, it was for everyone else reading that will share a sentiment they've felt but never articulated

[PeterisP]

In practice, in many cases, bug bounties are de facto a bid in an auction against organized crime. It doesn't need to be 1-to-1 equivalent bid, and it's not for all sources of found bugs, but the intent and the effect is definitely there.

[tptacek]

No, they are virtually never a bid against organized crime.

There are two kinds of vulnerabilities in the world:

The kind organized criminals will pay tens of thousands of dollars for, and the kind they, like any Internet rando, will pay $50 for lulz.

If you think this dumb regex bug is worth the same to organized criminals as a Chrome sandbox escape or drive-by reliable Flash RCE... well, people think that about a lot of bugs, I guess.

This LastPass bug is terrible. I was already inclined to warn friends against using it (but my other friends have beat me to that punch many times before). The bug looks terrible for LastPass and its mere existence is damaging to that project.

But that doesn't mean the bug has significant monetary value. As someone else here cleverly put it on the last dumb bug bounty thread: you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

[ghurtado]

> you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

Perfect analogy, I'm putting that in my back pocket.

[mod]

No, but it makes sledgehammer-prevention worth something greater than zero and something less than the cost of sledgehammer repairs.

Bug bounty programs, presumably, prevent unsavory exploits at some point in the future. Having this responsibly disclosed was damaging still, but cost LastPass less money than having it exploited later.

I'm not sure where that falls on your "significance" scale.

[eyelidlessness]

I can think of few vulnerabilities with more monetary value than an arbitrary exploit of a password manager in broad use by a class of people who have access to huge numbers of private systems.

[zaroth]

There are many people capable of finding this specific bug and reporting it who might be motivated to take a look by a bug bounty, but who would never even consider trying to sell an exploit on the black market. I agree there is one cohort where you are trying to offer them an alternative to illegally monetizing their exploits. Then there is another cohort who you are just trying to encourage them to spend some time with your code versus someone else's. I could only guess at the relative sizes of the two groups, but the optimist in me thinks bug bounties are less about the former than the latter.

As we can see from avlidienbrunn2's response [1] sometimes it's not about the money. It's just fulfilling a natural curiosity about a product, maybe getting your killer write-up of a shocking bug to hit the top of the HN frontpage, etc. So in this case perhaps the bounty program is as much about establishing a legal structure for a whitehat to operate under than to fairly compensate ad hoc pen-testers. I wish they paid 10x or more for this bug. But I'm glad at least pen-testers can report these bugs without [as much] fear of reprisal.

[1] - https://news.ycombinator.com/item?id=12171753

[K0nserv]

I agree with the cohort theory, but to me it's not so much about the risk of someone selling an exploit on the black market, all though it's still a risk. To me it's more about how it reflects on a company where security is key to their product. Low bounties kinda gives of a vibe of not caring about the security of their product and maintaining it.

Personally I lost a lot of confidence in them when they got acquired and switched to 1Password, paying very low bounties for critical security flaws further hurts my confidence in them.

[tptacek]

Most companies, including companies far more security-sensitive than LogMeIn, pay no bug bounties at all. Meanwhile, the companies that pay the largest bounties are themselves routinely harangued online for underbidding the black market --- despite the fact that outbidding crime is in no way the purpose of a bug bounty.

From my vantage point, the logical conclusion to the comment you just wrote is that companies should avoid offering bug bounties. They just attract negative attention.

(I won't use LastPass, and have recommended 1Password --- but Tavis Ormandy is looking at 1Password right now, and I'm guessing they're going to end up disappointing HN too.)

[K0nserv]

It's true that not all companies pay bug bounties and you might very well be right that paying them, especially if they are much lower than other companies that operate bug bounties, might have a worse affect on public opinion then not having bug bounties at all. To me it's still concerning that Facebook pays 10x more for problems that are less severe and it does still make LastPass look like they don't care as much in comparison.

[tptacek]

If this was a thread about a Facebook vulnerability, the exact same things would be said about Facebook. To verify for yourself, use the search box at the bottom of the page to find a thread about a Facebook bounty.

[dzmien]

Wouldn't a true white hat hacker report the bug no matter what the bounty? Therefor, the bounty is in place to encourage black-hat hackers to report the bug instead of trying to profit from exploiting it. But I do agree that it is in a security company's best interest to offer high dollar sums for reporting crucial bugs. I am just arguing semantics :-)

[throwawayReply]

It isn't a choice between "bother to submit or not", it's a case of a white-hat might be encouraged to look into this product rather than another product because of the bounty.

So the end effect is more bugs found by "white hats" rather than "black hats" because the bounty has focused the "white hat" efforts on your program. (Or encouraged them to look at all.)

I'm likely to poke around a site with a bug bounty even with small sums just because it hints at a more formal process and also likely means they have a sensible policy about not going after testers.

Bug bounties are as much about signalling than encouraging "black hats" to suddenly turn to the light side.

[ufmace]

I mostly agree, but I would say that if the amount of a bounty affects your decision on whether to responsibly disclose it or sell to the highest black-market bidder, then you are at the very least a grey hat.