[Steeeve]

The more I see writeups like this, the more I wonder if the effort being laid out by the people doing the work is compensated appropriately.

I'm not sure what Amazon pays for identifying a security flaw, but I imagine it's somewhere between $5 and $15k.

Having success monthly might yield reasonable compensation, but companies only pay when a flaw is identified, which means you don't get paid for your work, you get paid for your successful work. And you don't get to define what is successful, nor is there usually a clear definition of what successful actually means.

I understand that many people do this to get a job in security / security research, but it just seems like the effort-to-payoff ratio still favors people using their found exploits for evil dramatically.

There really should be a different pricing model around security exploits - one that encourages responsible disclosure more heavily.

[bdelay]

I don't believe Amazon officially pays for security flaws. They ended up sending me a free Kindle (pretty funny) and got an interview out of it. That didn't end up going anywhere, but I got a heck of a lot further than the black hole that is most job application processes these days. Seemed like a fair trade considering the market for Kindle 0days is somewhere near $0.

It's a neat project to talk about during interviews. Nothing more.