|
|
|
|
|
|
by donmcronald
2112 days ago
|
|
|
> Who's out there that would exploit this because they thought $50,000 wasn't worth it, but would change their minds for $1,000,000? The article says the max bug bounty was increased to $15k eventually, so it was even less than that at the time even though they gave him $50k. Kudos to whoever at Tesla stepped up and gave him extra. I'd seriously consider not reporting something like that for $15k unless I was worried about someone else exploiting it and having a trail of access logs lead back to me. People that discover bugs like that with massive destructive potential must be on every TLA list on the planet afterwards and I don't think that's worth $15k. $1 million is life changing and puts you into a higher social class. IE: Poor == probably a criminal. Rich == probably not a criminal. It's sad, but that's the way it works and I'd rather be rich if I were on a short list of "dangerous" hackers. |
|
|
If you're able to sell a Tesla vulnerability to the supply chain of a state-level actor, it's probably because they're already actively exploiting Tesla vulnerabilities. By the time random discoveries like this are part of the supply chain, the supply chain is already chugging along.
I think a good rule of thumb is that no serious actor --- not a state, not a crime ring, not a competitor --- does speculative engineering to accept and operationalize a third-party vulnerability. If they're buying, it's because they already have an operational infrastructure to drop the bug into. When you're figuring out the dollar value a vulnerability has, start by telling yourself the story about the entity that already has a bug just like it, is exploiting it for some articulable purpose, and wants a replacement or 10 in the hopper for later. (I don't think this is a perfectly reliable heuristic, but it's where most of this kind of thinking should start).