[tptacek]

That's a pretty normal price for an XSS.

[justsomeuser]

Dropbox and co pay $10,000 for the same exploit.

[tptacek]

Then you should sell it to Dropbox, because $10,000 is extremely high for an XSS vulnerability.

[justsomeuser]

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

[tptacek]

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

[KajMagnus]

Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead

[tptacek]

XSS? Outside of a social network, where it can propagate itself? For a non-FAANG-scale company? Probably between $250 and $500, if it's a clean and effective XSS. Less if you have to interact with an obscure feature of the application.