[tptacek]

The fair market price of an entire app pentest of that legal dashboard application, one which would almost certainly find that bug† if run by a competent, reputable firm, along with many other bugs, run by consultants with bios and concluded with a deliverable that Facebook can file away, is probably somewhere between $20,000 and $35,000, so the idea that the fair market value of a single finding of that engagement is $75,000 is pretty hard to take seriously.

From my perspective, people weird ideas (in both directions!) about how much this stuff costs.

† It's a little tricky to say because the blog post is cagey about what the vulnerability actually is, but I'm thinking about all of the password-reset-flow bugs I've ever seen that fit the rest of the pattern of the post and I'm pretty sure this is low-hanging fruit for a serious app pentest.

[fancythat]

One point of you to consider though, I guess FB runs pentests all the time, either internally or externally by appointing some other company to do it.

That being said, if they pay that company 35k, for example, and they haven't found this, wouldn't that fact make this discovery worth more than 35k?

[lazyasciiart]

Maybe they found other bugs that were worse, or of the same value, and you should have just given them another day.

[ericjang]

Fair enough. I could imagine that if the work were billed by the hour or said research firm hired multiple people it would be easy for costs of the work to run up to $75k - it's within O(20k). I'm not qualified to price these though - I certainly would abhor having to pay that cost if I were a small company.

[tptacek]

20-35k assuming a sort of baseline project being 2 people, 2 weeks.