[PeterisP]

In practice, in many cases, bug bounties are de facto a bid in an auction against organized crime. It doesn't need to be 1-to-1 equivalent bid, and it's not for all sources of found bugs, but the intent and the effect is definitely there.

[tptacek]

No, they are virtually never a bid against organized crime.

There are two kinds of vulnerabilities in the world:

The kind organized criminals will pay tens of thousands of dollars for, and the kind they, like any Internet rando, will pay $50 for lulz.

If you think this dumb regex bug is worth the same to organized criminals as a Chrome sandbox escape or drive-by reliable Flash RCE... well, people think that about a lot of bugs, I guess.

This LastPass bug is terrible. I was already inclined to warn friends against using it (but my other friends have beat me to that punch many times before). The bug looks terrible for LastPass and its mere existence is damaging to that project.

But that doesn't mean the bug has significant monetary value. As someone else here cleverly put it on the last dumb bug bounty thread: you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

[ghurtado]

> you can smash a car with a sledgehammer, but that doesn't make the sledgehammer worth the value of the car.

Perfect analogy, I'm putting that in my back pocket.

[mod]

No, but it makes sledgehammer-prevention worth something greater than zero and something less than the cost of sledgehammer repairs.

Bug bounty programs, presumably, prevent unsavory exploits at some point in the future. Having this responsibly disclosed was damaging still, but cost LastPass less money than having it exploited later.

I'm not sure where that falls on your "significance" scale.

[eyelidlessness]

I can think of few vulnerabilities with more monetary value than an arbitrary exploit of a password manager in broad use by a class of people who have access to huge numbers of private systems.