[sellyme]

> If this hack had been exploited

But that's the point. Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

Realistically there's only two types of people who would maliciously exploit something of this magnitude: the mentally unstable (people who just like to cause chaos), and state-sponsored actors attempting to disrupt other nations. Neither of those groups seem particularly likely to change their mind for an extra zero or two.

The "pay more than the black market will" model works for smaller bugs, but for ones like this that would immediately get every three letter agency on the planet trying to find you, the $50,000 isn't a valuation of the worth of that bug report, it's a gratuity. And for the average bug reporter, that's an extremely nice one.

Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

The solution to this is to have legal requirements for security, and extremely heavy fines for having released dangerous software (some portion of this fine financing a similar bug bounty program). Take the option of how much money to hand out away from the companies, and they'll be incentivised to take security much more seriously in the first place.

Of course, this requires lawmakers to have a basic understanding of technology, so we're at least 20 years and 3 major catastrophes away from getting anywhere near that actually occurring.

[pydry]

>Can they pay more? Yes, absolutely. Should they? Probably, yeah. Do they have any reason to? No.

Yeah, they do. It's a self declared measure of how seriously they take their security. They valued avoiding the takeover of their fleet at 0.0000125% of their market cap.

The reason I left lastpass was because the bug bounty for a bug that could expose all of everybody's passwords just by visiting a website was, like, about $1k. The company became dead to me in a split second and I wanted out immediately.

....and it's not doing too well these days, from what I can tell.

[tptacek]

What was the half-life on that vulnerability? From the moment Lastpass wrote whatever the fix was to the point at which attackers can no longer exploit it afresh, how much time elapses? If it's a serverside fix, so that the number is something like "a day or so while it's deployed", that's your answer about why nobody is outbidding Lastpass for this bug.

[pydry]

I rather thought it was honesty that kept it from being bid on by bad guys. Even if they wouldn't bid more it's a big risk to pay so low.

It's kind of a treasure trove to be able to read all passwords from a user of lastpass simply by showing them a website.

It made me think that the next zero day on lastpass would probably be sold to someone else.

[tptacek]

Who would buy it? That's the question I'm asking.

[pydry]

Scammers, fraudsters, governments

[tptacek]

Tell a story about the "scammer" or "fraudster" that buys this. What do they do with it? What do they win, how many times do they win it, and with what likelihood of success? How much work goes into realizing value from the vulnerability before they get their first dollar, or whatever it is they're getting? Is that work already done, or do they have to do it speculatively on this one vulnerability?

Reason your way through it all the way, and you'll see why real vulnerabilities sold on darker markets are paid in tranches, and why nobody pays real money for one-off serversides.

[spicybright]

Props to you for realizing that. That's a good move you took, I feel not many would do the same, sadly.

[donmcronald]

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000?

The article says the max bug bounty was increased to $15k eventually, so it was even less than that at the time even though they gave him $50k. Kudos to whoever at Tesla stepped up and gave him extra.

I'd seriously consider not reporting something like that for $15k unless I was worried about someone else exploiting it and having a trail of access logs lead back to me. People that discover bugs like that with massive destructive potential must be on every TLA list on the planet afterwards and I don't think that's worth $15k.

$1 million is life changing and puts you into a higher social class. IE: Poor == probably a criminal. Rich == probably not a criminal. It's sad, but that's the way it works and I'd rather be rich if I were on a short list of "dangerous" hackers.

[tptacek]

It's pretty silly to suggest that a state-level adversary needs the help of the person who stumbled across the baked-in credentials in an obfuscated Python binary to accomplish a CNE task. If a state wants to target Tesla, someone will submit a petty cash request to contract someone else to develop Tesla vulnerabilities.

If you're able to sell a Tesla vulnerability to the supply chain of a state-level actor, it's probably because they're already actively exploiting Tesla vulnerabilities. By the time random discoveries like this are part of the supply chain, the supply chain is already chugging along.

I think a good rule of thumb is that no serious actor --- not a state, not a crime ring, not a competitor --- does speculative engineering to accept and operationalize a third-party vulnerability. If they're buying, it's because they already have an operational infrastructure to drop the bug into. When you're figuring out the dollar value a vulnerability has, start by telling yourself the story about the entity that already has a bug just like it, is exploiting it for some articulable purpose, and wants a replacement or 10 in the hopper for later. (I don't think this is a perfectly reliable heuristic, but it's where most of this kind of thinking should start).

[donmcronald]

> It's pretty silly to suggest that a state-level adversary needs the help of the person who stumbled across the baked-in credentials in an obfuscated Python binary to accomplish a CNE task.

I didn't mean they'd want your help. I meant you might end up on some hacker watchlist. You'll get extra attention and scrutiny from government agencies which wouldn't have much upside IMO. Maybe at airports you'll be randomly selected more often so security agencies can look at your devices and try to clone them.

Would you really feel 100% comfortable going to China after being in the news as the person that could have controlled the entire Tesla fleet? I think there are hard to measure social costs for gaining that kind of notoriety and current bug bounty programs aren't properly compensating for them.

[ssss11]

Surely there’s more than 2 types. Another off the top of my head - competitors.

[warent]

Agreed. Another could be solo blackhats who just want to make money, who have no state sponsorship. Tangental, but I also hesitate to create such a massive bucket for "mental instability" like that. It's easy to find when someone who does something difficult to understand, or against what we would do ourselves, and then just say "well they're mentally unstable." Definitely the case for some, but it seems like a lazy dismissal with no attempt or interest at understanding.

[sellyme]

I was using "maliciously exploit" here to describe what would basically be the worst case scenario of such a bug (instructing every Tesla to deliberately crash at high speed). I don't think it's in any way a stretch to characterise someone who would do that as mentally unstable.

Of course there's many other ways you could exploit such a bug, but in the context of a "multi-billion dollar" event, it's really only The Big One that's in frame here.

[dmurray]

Someone could be sociopathic enough to cause the crashes, but still prefer the money. It definitely seems like you could negotiate for more if you can play the part of that sociopath and don't mind a little bit of extortion.

[dash2]

But then “offering more money to sociopaths” doesn’t seem like the right thing to do, because it will only encourage more of them into the market.

[spullara]

When Coke's recipe was stolen and offered to Pepsi they turned them in. That is what every competitor should do.

https://thehustle.co/coca-cola-stolen-recipe

[rtlfe]

> Another off the top of my head - competitors.

Car manufacturers do plenty of shady things, but this would be ridiculously over the top. I don't think that would be a serious concern at all.

[chrischen]

Did you hear about what eBay execs did?

[cvhashim]

Go on...

[chrischen]

For dramatic effect I will simply say that all one has to do is google or bing "ebay execs".

[davidlinc1]

Those two types in particular are examples of actors that are willing to break the law in this way. Competitors aren't going to contract a hack - like the parent comment said, every 3 letter agency would be after you and suddenly your executives are going to prison.

[AlotOfReading]

Public confidence is priceless in the automative space. The risk of bleedover onto the market segment as a whole would make that an incredibly risky (read: stupid) stunt for a competitor to pull, not to mention the legal and reputational risk if they're discovered.

[sowbug]

OP meant two types that are indifferent to consequences.

[paulannesley]

> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000? […] people who just like to cause chaos, and state-sponsored actors […].

Makes me think of the recent Twitter account take-overs. The amateur attackers acquired access which could have caused enormous damage, and used it to scam ~$100,000. The difference between $50k and $1m in bounty could have turned them towards responsible disclosure.

(That said: they probably hoped to scam much more. And they got caught. And the way they obtained access was probably way out of the scope of a bug bounty program / the law.)

[sellyme]

Yeah, I'm not sure the old $5 wrench approach to "hacking" is likely to get you any rewards from megacorps.

[justinclift]

Aren't there a lot of people shorting Tesla stock? Some of those would probably stand to receive a significant amount of $$$ if this were to happen.

That kind of incentive has led to underhanded behaviour in the past, so it wouldn't be surprising to see it happen again.

[codecamper]

I'm shorting Tesla stock. I consider short Tesla an investment that makes sense over time.

And no, I'm not a hedge fund. Just an investor. Not going to be funding hackers.

lmao... this hack just underscores how exceedingly lame Tesla truly is.

[aristophenes]

You don’t need to pay more than the black market would, but the more you pay the more time people can spend on it. If the bounties are high enough, you can attract more, and better, white hats to test your system for you. The black hats are out there anyway doing what they will do.

[r77ruuddj]

I agree to an extent. I think security obligations are good but they should be practical. I know the privacy activists will hate this, because it's something that works, but if we tracked users irl and if banks already have the ability to reverse transactions then the stakes are much lower (because they would be able to identify theft) than something like remotely updated cars or medical devices which can be patched but not before a lot of people have died. Software is advancing rapidly in a way that's valuable, the goal should be to preserve that except when it kills people in the real way.

[mNovak]

For a vulnerability of that scope, I assume selling it to a short-seller to publish in bad faith would be more valuable than selling on the actual black market anyway. Hell, the impression I get is that unless you're fairly well connected already, selling large $ value hacks on the black market isn't exactly easy (see Twitter hack).

I don't know if this is strictly legal either, but definitely more plausible deniability.

[donmcronald]

> I don't know if this is strictly legal either, but definitely more plausible deniability.

Presumably you're into the system by the time you've discovered the exploit, so you're on the wrong side of the CFAA in the US and IMO the law would come down on you _hard_ if you acted in bad faith like that.

Even failing to report it might ruffle enough feathers for the company to use their political connections to have you prosecuted. I suspect that's also part of the reason the bounties are so low.

[_8j50]

Are you kidding me? If money was my goal, 50k would be so insulting! A slightly more malicious person would brick the whole fleet as retribution.

[donmcronald]

Alternatively, document it with trusted timestamps and don't report it. Then if someone else exploits it you could parlay the media frenzy into a lot of publicity that's probably worth more than the tiny bounties many companies pay.

"Oh, we discovered that 2 years ago, but the bug bounty program didn't make it worth reporting. Want to buy a security audit?"