[gargarplex]

I macro agree with your point about leverage although I'd like a bit more insight here...

"You can give them a hint as to what it is, to vouch for the legitimacy of your finding, but Facebook has one of the better-resourced security teams in the industry, and they're just going to find it themselves and shut it down without paying you anything."

Wouldn't that cost Facebook much more than $7,000?

[tptacek]

I don't think so. Those people get paid whether or not you focus their attention on a perimeter-exposed RCE bug. By tipping them off, all you've done is make them more effective for a time.

The bug is there whether a bounty hunter finds it or not. The other "leverage" you have, if you don't like $7K bounties for auth bypass on random backend thingies, is just not do hunt for bounties at all. Facebook knows that; their desire to attract bounty hunters is priced in to the bounties they pay.

It's for this reason that people who want to make serious money and who start in bounty hunting break basically two ways:

* Either they get really good at mopping up lots of 4-figure bounties (hitting the occasional blackjack on something that pays into low-mid 5 figures), often with a fair bit of automation, or

* They graduate into consulting, where the weekly rate for this kind of work is substantially higher, you're given a briefing by the target about where to look, and where you get paid whether or not you find a marquee bug.

(A good person to ask about this stuff is 'daeken).

[orborde]

As a company, why would I want to pay the hourly rate at all? Why not contract with a reputable bounty hunter, give them the level of access I'd give the hourly consultant, and pay the hunter bounties for what they find?

Seems like that captures the "higher bugs per hour" advantage of the consultant while retaining the "you only get paid for directly producing value" advantage of bounties.

[tptacek]

It seems like what you're describing here is simply a bug bounty program.

The reason companies pay for app pentests and also run bug bounties is that the two modalities find different kinds of bugs. App pentesters generally get a lot of intel about their targets (source is not unusual). You're also getting a team with bios and a final deliverable that records the diligence work done, which is not an outcome you get with a bounty program.

But you can do things in between. It's not crazy to offer a gig to someone who has delivered a good finding on a bounty project. But you have to do something to incentivize them beyond what the bounty already does, and the most normal way to do that is to not make payment contingent.

[webmaven]

> I don't think so. Those people get paid whether or not you focus their attention on a perimeter-exposed RCE bug.

Well, okay, but the opportunity cost (ie. the other valuable things they could be doing) is surely something that could have a $ value attached?

[lazyasciiart]

Sure. But if they drop it for this, it was less value than this - and you’ve saved them the time of testing less important things before narrowing in on this bug.

[iambateman]

The bug bounty program and the salary of the security team likely come out of different budgets.

The middle manager who cares a lot about staying “on budget” for bounties could care less how long it takes the security team to track down a bug.

[an_opabinia]

Sure it does. But does it matter?