[tptacek]

No, that is not at all what a bug bounty is meant to do. We are not expected to pay people to avoid them launching criminal conspiracies against us.

The purpose of a bug bounty is to incentivize researchers to target specific pieces of software so that vendors can benefit from that attention.

[jontas]

Let's assume that there is a spectrum of honesty (say, from 1-10) and the pool of people capable of discovering vulnerabilities in your product includes people from the entire range.

If you're a 10 you will disclose responsibly regardless of a bounty, and if you're a 1 you will disclose to the highest bidder. The rest will weight profit, ethics, and risk in some ratio depending on where they fall on the scale and decide to act based on that calculation.

The company has to price their bounty on a few factors: how much they can afford to pay, how much a bug is worth to them (eg damage to their reputation, fines in the event of a vulnerability), and how important it is and to have researchers looking at their product instead of another product.

I agree with you that companies should not be required to pay people to prevent them from launching criminal conspiracies. But this is not a perfect world and people are not so black and white in their actions and motivations. There is no point trying to optimize your bounty program for the 1's or the 10's. Therefore, when optimizing for the rest it makes sense to pay as much as possible within the constraints I mentioned (in the previous paragraph) in order to tip the scales in your favor for the largest part of the spectrum possible. Right now the tech community knows about this problem with LastPass. If this exploit had made it to the wild things would've been much worse for them from a PR perspective.

I am hoping that the $1000 cap on the bounty program came from careful consideration of these factors, but my gut tells me it was a number handed down from management.

[Houshalter]

The point is to get more tens to even look at the code, not encourage people that have already found vulnerabilities to share them. I also think you vastly overestimate the percentage of criminals.

[K0nserv]

I think it's a bit of bucket A and bit of bucket B. Still even if one accept the definition you put forth the argument that having such low bounties makes LastPass look bad/like they're not caring is still valid.

[tptacek]

No, it is not at all "bucket A" and "bucket B", and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market". Finding interesting vulnerabilities in software makes you clever and talented, not sociopathic.

[lkbm]

> and suggesting otherwise is a grave insult to hundreds of researchers who would never dream of attempting (and, of course, inevitably failing) to "sell bugs to the black market".

No, suggesting otherwise is saying that a bounty program with high enough rewards can reach both legitimate security researchers and sketchy folks. This is in no way a slight on the first group.

[tptacek]

So the people on this thread saying that this particular researcher didn't get paid enough to "do the right thing" just mean that this person seems a little sketchy?

[djrogers]

Clearly not - merely that this bug could just as easily have been discovered by someone 'a little sketchy' and $1000 wouldn't be a big enough reward to skip setting up a watering hole or two for lulz.

[cloudjacker]

What he's saying is "raise the bid"

Your rationale would be a valid rebuttal in your world no matter what the amounts in question were. $500? Incentive! $50? Incentive!

[tptacek]

This is a non-sequitur response to my comment, whose whole purpose is to point out that a bug bounty is not a bid in an auction against organized crime.

[cloudjacker]

You wish it was a non sequitur when it is completely relevant

We can agree to disagree because the perspective really wasn't for you, it was for everyone else reading that will share a sentiment they've felt but never articulated

[PeterisP]

In practice, in many cases, bug bounties are de facto a bid in an auction against organized crime. It doesn't need to be 1-to-1 equivalent bid, and it's not for all sources of found bugs, but the intent and the effect is definitely there.

[tptacek]

No, they are virtually never a bid against organized crime.

There are two kinds of vulnerabilities in the world:

The kind organized criminals will pay tens of thousands of dollars for, and the kind they, like any Internet rando, will pay $50 for lulz.

If you think this dumb regex bug is worth the same to organized criminals as a Chrome sandbox escape or drive-by reliable Flash RCE... well, people think that about a lot of bugs, I guess.

This LastPass bug is terrible. I was already inclined to warn friends against using it (but my other friends have beat me to that punch many times before). The bug looks terrible for LastPass and its mere existence is damaging to that project.

But that doesn't mean the bug has significant monetary value. As someone else here cleverly put it on the last dumb bug bounty thread: you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

[ghurtado]

> you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

Perfect analogy, I'm putting that in my back pocket.

[mod]

No, but it makes sledgehammer-prevention worth something greater than zero and something less than the cost of sledgehammer repairs.

Bug bounty programs, presumably, prevent unsavory exploits at some point in the future. Having this responsibly disclosed was damaging still, but cost LastPass less money than having it exploited later.

I'm not sure where that falls on your "significance" scale.

[eyelidlessness]

I can think of few vulnerabilities with more monetary value than an arbitrary exploit of a password manager in broad use by a class of people who have access to huge numbers of private systems.