[bookshelf11]

The pricing on these bug bounties always blows my mind.

If this hack had been exploited Tesla market capitalization would've taken a multi-million if not billion dollar hit. And here they are, paying out relative chump change to a guy that alerted them to it.

[sellyme]

> If this hack had been exploited

But that's the point. Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

Realistically there's only two types of people who would maliciously exploit something of this magnitude: the mentally unstable (people who just like to cause chaos), and state-sponsored actors attempting to disrupt other nations. Neither of those groups seem particularly likely to change their mind for an extra zero or two.

The "pay more than the black market will" model works for smaller bugs, but for ones like this that would immediately get every three letter agency on the planet trying to find you, the $50,000 isn't a valuation of the worth of that bug report, it's a gratuity. And for the average bug reporter, that's an extremely nice one.

Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

The solution to this is to have legal requirements for security, and extremely heavy fines for having released dangerous software (some portion of this fine financing a similar bug bounty program). Take the option of how much money to hand out away from the companies, and they'll be incentivised to take security much more seriously in the first place.

Of course, this requires lawmakers to have a basic understanding of technology, so we're at least 20 years and 3 major catastrophes away from getting anywhere near that actually occurring.

[pydry]

>Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

Yeah, they do. It's a self declared measure of how seriously they take their security. They valued avoiding the takeover of their fleet at 0.0000125% of their market cap.

The reason I left lastpass was because the bug bounty for a bug that could expose all of everybody's passwords just by visiting a website was, like, about $1k. The company became dead to me in a split second and I wanted out immediately.

....and it's not doing too well these days, from what I can tell.

[tptacek]

What was the half-life on that vulnerability? From the moment Lastpass wrote whatever the fix was to the point at which attackers can no longer exploit it afresh, how much time elapses? If it's a serverside fix, so that the number is something like "a day or so while it's deployed", that's your answer about why nobody is outbidding Lastpass for this bug.

[pydry]

I rather thought it was honesty that kept it from being bid on by bad guys. Even if they wouldn't bid more it's a big risk to pay so low.

It's kind of a treasure trove to be able to read all passwords from a user of lastpass simply by showing them a website.

It made me think that the next zero day on lastpass would probably be sold to someone else.

[tptacek]

Who would buy it? That's the question I'm asking.

[pydry]

Scammers, fraudsters, governments

[spicybright]

Props to you for realizing that. That's a good move you took, I feel not many would do the same, sadly.

[donmcronald]

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

The article says the max bug bounty was increased to $15k eventually, so it was even less than that at the time even though they gave him $50k. Kudos to whoever at Tesla stepped up and gave him extra.

I'd seriously consider not reporting something like that for $15k unless I was worried about someone else exploiting it and having a trail of access logs lead back to me. People that discover bugs like that with massive destructive potential must be on every TLA list on the planet afterwards and I don't think that's worth $15k.

$1 million is life changing and puts you into a higher social class. IE: Poor == probably a criminal. Rich == probably not a criminal. It's sad, but that's the way it works and I'd rather be rich if I were on a short list of "dangerous" hackers.

[tptacek]

It's pretty silly to suggest that a state-level adversary needs the help of the person who stumbled across the baked-in credentials in an obfuscated Python binary to accomplish a CNE task. If a state wants to target Tesla, someone will submit a petty cash request to contract someone else to develop Tesla vulnerabilities.

If you're able to sell a Tesla vulnerability to the supply chain of a state-level actor, it's probably because they're already actively exploiting Tesla vulnerabilities. By the time random discoveries like this are part of the supply chain, the supply chain is already chugging along.

I think a good rule of thumb is that no serious actor --- not a state, not a crime ring, not a competitor --- does speculative engineering to accept and operationalize a third-party vulnerability. If they're buying, it's because they already have an operational infrastructure to drop the bug into. When you're figuring out the dollar value a vulnerability has, start by telling yourself the story about the entity that already has a bug just like it, is exploiting it for some articulable purpose, and wants a replacement or 10 in the hopper for later. (I don't think this is a perfectly reliable heuristic, but it's where most of this kind of thinking should start).

[donmcronald]

> It's pretty silly to suggest that a state-level adversary needs the help of the person who stumbled across the baked-in credentials in an obfuscated Python binary to accomplish a CNE task.

I didn't mean they'd want your help. I meant you might end up on some hacker watchlist. You'll get extra attention and scrutiny from government agencies which wouldn't have much upside IMO. Maybe at airports you'll be randomly selected more often so security agencies can look at your devices and try to clone them.

Would you really feel 100% comfortable going to China after being in the news as the person that could have controlled the entire Tesla fleet? I think there are hard to measure social costs for gaining that kind of notoriety and current bug bounty programs aren't properly compensating for them.

[ssss11]

Surely there’s more than 2 types. Another off the top of my head - competitors.

[warent]

Agreed. Another could be solo blackhats who just want to make money, who have no state sponsorship. Tangental, but I also hesitate to create such a massive bucket for "mental instability" like that. It's easy to find when someone who does something difficult to understand, or against what we would do ourselves, and then just say "well they're mentally unstable." Definitely the case for some, but it seems like a lazy dismissal with no attempt or interest at understanding.

[sellyme]

I was using "maliciously exploit" here to describe what would basically be the worst case scenario of such a bug (instructing every Tesla to deliberately crash at high speed). I don't think it's in any way a stretch to characterise someone who would do that as mentally unstable.

Of course there's many other ways you could exploit such a bug, but in the context of a "multi-billion dollar" event, it's really only The Big One that's in frame here.

[dmurray]

Someone could be sociopathic enough to cause the crashes, but still prefer the money. It definitely seems like you could negotiate for more if you can play the part of that sociopath and don't mind a little bit of extortion.

[dash2]

But then “offering more money to sociopaths” doesn’t seem like the right thing to do, because it will only encourage more of them into the market.

[spullara]

When Coke's recipe was stolen and offered to Pepsi they turned them in. That is what every competitor should do.

https://thehustle.co/coca-cola-stolen-recipe

[rtlfe]

> Another off the top of my head - competitors.

Car manufacturers do plenty of shady things, but this would be ridiculously over the top. I don't think that would be a serious concern at all.

[chrischen]

Did you hear about what eBay execs did?

[cvhashim]

Go on...

[chrischen]

For dramatic effect I will simply say that all one has to do is google or bing "ebay execs".

[davidlinc1]

Those two types in particular are examples of actors that are willing to break the law in this way. Competitors aren't going to contract a hack - like the parent comment said, every 3 letter agency would be after you and suddenly your executives are going to prison.

[AlotOfReading]

Public confidence is priceless in the automative space. The risk of bleedover onto the market segment as a whole would make that an incredibly risky (read: stupid) stunt for a competitor to pull, not to mention the legal and reputational risk if they're discovered.

[sowbug]

OP meant two types that are indifferent to consequences.

[paulannesley]

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000? […] people who just like to cause chaos, and state-sponsored actors […].

Makes me think of the recent Twitter account take-overs. The amateur attackers acquired access which could have caused enormous damage, and used it to scam ~$100,000. The difference between $50k and $1m in bounty could have turned them towards responsible disclosure.

(That said: they probably hoped to scam much more. And they got caught. And the way they obtained access was probably way out of the scope of a bug bounty program / the law.)

[sellyme]

Yeah, I'm not sure the old $5 wrench approach to "hacking" is likely to get you any rewards from megacorps.

[justinclift]

Aren't there a lot of people shorting Tesla stock? Some of those would probably stand to receive a significant amount of $$$ if this were to happen.

That kind of incentive has led to underhanded behaviour in the past, so it wouldn't be surprising to see it happen again.

[codecamper]

I'm shorting Tesla stock. I consider short Tesla an investment that makes sense over time.

And no, I'm not a hedge fund. Just an investor. Not going to be funding hackers.

lmao... this hack just underscores how exceedingly lame Tesla truly is.

[aristophenes]

You don’t need to pay more than the black market would, but the more you pay the more time people can spend on it. If the bounties are high enough, you can attract more, and better, white hats to test your system for you. The black hats are out there anyway doing what they will do.

[r77ruuddj]

I agree to an extent. I think security obligations are good but they should be practical. I know the privacy activists will hate this, because it's something that works, but if we tracked users irl and if banks already have the ability to reverse transactions then the stakes are much lower (because they would be able to identify theft) than something like remotely updated cars or medical devices which can be patched but not before a lot of people have died. Software is advancing rapidly in a way that's valuable, the goal should be to preserve that except when it kills people in the real way.

[mNovak]

For a vulnerability of that scope, I assume selling it to a short-seller to publish in bad faith would be more valuable than selling on the actual black market anyway. Hell, the impression I get is that unless you're fairly well connected already, selling large $ value hacks on the black market isn't exactly easy (see Twitter hack).

I don't know if this is strictly legal either, but definitely more plausible deniability.

[donmcronald]

> I don't know if this is strictly legal either, but definitely more plausible deniability.

Presumably you're into the system by the time you've discovered the exploit, so you're on the wrong side of the CFAA in the US and IMO the law would come down on you _hard_ if you acted in bad faith like that.

Even failing to report it might ruffle enough feathers for the company to use their political connections to have you prosecuted. I suspect that's also part of the reason the bounties are so low.

[_8j50]

Are you kidding me? If money was my goal, 50k would be so insulting! A slightly more malicious person would brick the whole fleet as retribution.

[donmcronald]

Alternatively, document it with trusted timestamps and don't report it. Then if someone else exploits it you could parlay the media frenzy into a lot of publicity that's probably worth more than the tiny bounties many companies pay.

"Oh, we discovered that 2 years ago, but the bug bounty program didn't make it worth reporting. Want to buy a security audit?"

[oconnor663]

I wonder if at some level of bounty payment, you run into the problem of encouraging people to introduce bugs to get a bounty. Probably no one with commit access in a major tech company would risk their career for a few months salary. But for ten years' salary...

[brippalcharrid]

It just needs to be a subtle bug designed by someone much smarter than the comitter, that's plausibly deniable. They certainly don't need to understand how it works, or how it's going to be used months or years later. And I understand that this sort of thing happens with governments, and TLAs, and the people leave after a few years to start their own gig with VC funding and subsequent acquisitions and no-one's the wiser.

[waterhouse]

Theoretically, one person who's reviewing a pull request could notice a flaw and decide to say nothing about it, hoping to exploit it later. That would be less risky than introducing the flaw themselves—although it does require lying in wait for the opportunity and could take arbitrarily long. But if person A introduces the flaw by mistake, and person B sees the opportunity...

[rtlfe]

> They certainly don't need to understand how it works

They must need to know something about it in order to verify that it does the malicious thing correctly. It's hard enough to get code right when there's a whole team of people who know exactly what it's supposed to do.

[brippalcharrid]

It depends on how active the person has been in choosing the target and the exploit. If a nation-state actor has pored over the source code for some time before/after approaching a person in a tech company with commit privileges, they might be in a position to give them code to introduce that's as limited as possible and which does exactly what they need it to, while seemingly being entirely in keeping with that person's prior work and the organisation's development practices. For the attacker, the less exposure their insider has to actively thinking about how to subvert the system that they have access to (which they could later confess to if questioned/arrested/jailed) and the fewer opportunities there are for someone to notice that something's amiss and for the person to come under suspicion, the better.

[tptacek]

We probably need to stop having these threads, because they're repetitive, usually pretty ill-informed, and prevent us from having discussions about the vulnerabilities themselves. All we do is recapitulate the same tedious discussion about how bounty prices work. That's fine, but maybe we should only have those discussions on stories about bug bounties, not any story where a bounty makes an appearance.

For the moment, rather than re-having this discussion, we can just note that bounty prices are what they are, and that no tech firm pays "existential" rates for new vulnerabilities (except, perhaps, Uber, where literally everyone involved in that story is now in the federal criminal court system).

[oska]

Or you could just minimise this part of the discussion, which HN makes trivially easy to do.

[dheera]

They only need to pay out as much as is necessary to incentivize you to be upfront and report it in private rather than starting a media fuss around it (you get fame and $0) or exploiting the bug yourself (you might get a jail term). Compared to these alternatives, $50K and a clean record isn't a bad deal.

[Aeolun]

I think, if this had been abused, Tesla would be out of business.

But the fact that $50000 is chump change for Tesla does not mean it's chump change to the recipient.

[falcolas]

It's funny, we always talk about compensating leaders for the value they provide to the company. Yet when it comes to non-leaders, it's transforms into a question of "value relative to their current/recent income".

[rtlfe]

> It's funny, we always talk about compensating leaders for the value they provide to the company. Yet when it comes to non-leaders, it's transforms into a question of "value relative to their current/recent income".

That's maybe true for founders, but not really for hired executives:

> One major consideration that goes into how much a CEO should be paid is what other companies are paying. Compensation committees benchmark CEO pay against a self-selected peer group -- often 12 to 20 companies that may be of similar size and complexity, and have similar business models, according to Robin Ferracone, CEO of Farient Advisors, an executive compensation consulting firm.

https://www.cnn.com/2019/10/24/success/ceo-pay-packages/inde...

[Talanes]

People who assume the world is fair will always find the justifications for why any status quo is valid.

[StillBored]

How long do you think it takes for someone to find an exploit? Sure, a long time ago I found problems in web pages by clicking "view source" and going "I wonder what happens if.." and doing POST/GET with a huge buffer, or with "\");...." embedded in it.

These days companies that take their security seriously are hopefully harder to exploit. If it takes someone a couple months of slow fuzzing/etc to find an exploit that is probably below market for the persons skills here in the US.

Maybe a part of these bug bounties should be not only how critical the bug is, but some metric of how much work the individual put in before finding the problem.

[TheSpiceIsLife]

Any one individual could put in an arbitrarily huge amount of work, or claim to have, in order find a bug.

How do we classify what constitutes work to find any particular bug?

[filleduchaos]

The bounty was $5,000 not fifty thousand. And frankly that would be chump change anywhere for the opportunity cost.

[sellyme]

It was $50,000:

> He didn’t end up getting a new Tesla, but the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit:

You're looking at the $5,000 bounty awarded for exposing Supercharger-related data that Tesla "didn't want [...] out there", which is obviously a much less severe issue than remote control of the entire fleet.

[filleduchaos]

Ah okay, thank you. Not sure why the $5000 figure stuck with me

[jefftk]

No, $5k was for an earlier bug. "the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit"

[bookmarkable]

I wonder why they aren’t paid in vesting stock. $50k in Tesla stock in 2017 would be a nice pay day.

It would also align hackers interest with the businesses they are helping secure.

[everfree]

I wouldn't necessarily want the stock of a company that I just found a critical vulnerability with.

[tptacek]

Then you wouldn't want the stock of any tech companies, because people find critical vulnerabilities in all of them.

[wglb]

It's not very often that serious vulnerabilities affect the stock price.

Check out the stock price of Bank of America after their servers got rooted several years back. Or that Breach that Deloitte had. How about Cloudflare?

[dheera]

You can always take the $50K and buy Tesla stock with it. How is it any different?

[rtlfe]

> I wonder why they aren’t paid in vesting stock.

Most people would far prefer cash

[mmaunder]

I’ll bet a few QA engineers would like to be paid based on how much a bug they reported would have cost the company if released into production.

[simple_bot]

"would have" is pretty hard to measure. I do admire the idea to incentivize QA engineers on discovery of niche bugs.

[abnry]

I get that it doesn't seem to make a lot of sense, but is there some market principle that can be used to explain why so many companies act as they do, and that it is in fact rational? Must it be a black swan fallacy?

[perl4ever]

I don't know, but it makes me think of how armored truck drivers aren't (as far as I know) paid in proportion to the money they're responsible for.

[gorgoiler]

When you sell to the bad guys you have to factor in the risk-price of 20 years in the US prison system.

Bounty payers enjoy a hefty discount when they waive their right to prosecute.

[salty_biscuits]

Maybe, maybe not. What happened to Garmin's share price?

[bookshelf11]

Great question. I think I'd say the big difference is that people, for the most part, aren't putting their/others lives in Garmin's hands when they use their devices.

That said, I think they have some hiking/trekking oriented products which could cause problems if you were relying on them.

The headline "electric car fleet hacked" is a lot scarier than "smart watches hacked".

Then again, maybe people really don't give a shit about this stuff, and these bounties are priced correctly.

[amanzi]

How is that even remotely similar?

[cactus2093]

Yet this person did the right thing anyway and reported the vulnerability responsibly. So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.

I think the high likelihood of being caught and going to prison is also already a pretty big deterrent for people. Just think of all the challenges of actually pulling a hack like this off without being caught. For one thing, just the poking around that led to the discovery of the vulnerability has probably already logged a bunch of potentially suspicious activity linked to this guy's VIN number. So even if he sold it to someone else who did the hack he could probably be caught already. If he tried to orchestrate the hack himself, not only does he need to not be caught directly, but he'd also have to make a very large, very suspicious short trade right before the hack without it being traced back to him. Plus there's always a possibility that Tesla would have been able to lock him out quickly anyway or had some other kind of rate-limiting or other measures in place to prevent significant damage, or that even if he pulled off the hack perfectly the stock price wouldn't drop as much as expected.

[taneq]

> So seemingly the level of the bounty was reasonable enough that it worked as intended, and a much higher bounty would have been a waste of money for Tesla.

I think it's more likely that the person who reported the vulnerability would have done the right thing regardless of any bounty.

[kypro]

What would be the legality of sharing the hack publicly and allowing someone else to exploit it while shorting the stock?

I also wonder when something becomes a "hack". Some systems are so insecure you can almost accidentally exploit them. In this case the API just required an ID for access. How would someone know if that was by design, or a mistake?

[cactus2093]

> I also wonder when something becomes a "hack"

As soon as you access something you're not supposed to. If a house is left unlocked and you walk in and take a look around, you're trespassing and it's a crime. And of course if you cause any damage or steal something, that's an even bigger crime.

Except with hacking, the punishments can be even more severe relative to the actual crime committed, because almost nobody in the legal system will understand the details of what happened so they can make you seem as dangerous as they want. Just look at Aaron Swartz and countless other examples of the heavy charges that have been given out for very minor, borderline cases of "hacking".