[zaroth]

There are many people capable of finding this specific bug and reporting it who might be motivated to take a look by a bug bounty, but who would never even consider trying to sell an exploit on the black market. I agree there is one cohort where you are trying to offer them an alternative to illegally monetizing their exploits. Then there is another cohort who you are just trying to encourage them to spend some time with your code versus someone else's. I could only guess at the relative sizes of the two groups, but the optimist in me thinks bug bounties are less about the former than the latter.

As we can see from avlidienbrunn2's response [1] sometimes it's not about the money. It's just fulfilling a natural curiosity about a product, maybe getting your killer write-up of a shocking bug to hit the top of the HN frontpage, etc. So in this case perhaps the bounty program is as much about establishing a legal structure for a whitehat to operate under than to fairly compensate ad hoc pen-testers. I wish they paid 10x or more for this bug. But I'm glad at least pen-testers can report these bugs without [as much] fear of reprisal.

[1] - https://news.ycombinator.com/item?id=12171753

[K0nserv]

I agree with the cohort theory, but to me it's not so much about the risk of someone selling an exploit on the black market, all though it's still a risk. To me it's more about how it reflects on a company where security is key to their product. Low bounties kinda gives of a vibe of not caring about the security of their product and maintaining it.

Personally I lost a lot of confidence in them when they got acquired and switched to 1Password, paying very low bounties for critical security flaws further hurts my confidence in them.

[tptacek]

Most companies, including companies far more security-sensitive than LogMeIn, pay no bug bounties at all. Meanwhile, the companies that pay the largest bounties are themselves routinely harangued online for underbidding the black market --- despite the fact that outbidding crime is in no way the purpose of a bug bounty.

From my vantage point, the logical conclusion to the comment you just wrote is that companies should avoid offering bug bounties. They just attract negative attention.

(I won't use LastPass, and have recommended 1Password --- but Tavis Ormandy is looking at 1Password right now, and I'm guessing they're going to end up disappointing HN too.)

[K0nserv]

It's true that not all companies pay bug bounties and you might very well be right that paying them, especially if they are much lower than other companies that operate bug bounties, might have a worse affect on public opinion then not having bug bounties at all. To me it's still concerning that Facebook pays 10x more for problems that are less severe and it does still make LastPass look like they don't care as much in comparison.

[tptacek]

If this was a thread about a Facebook vulnerability, the exact same things would be said about Facebook. To verify for yourself, use the search box at the bottom of the page to find a thread about a Facebook bounty.