|
|
|
|
|
|
by thaumasiotes
2016 days ago
|
|
|
So what do you think is going on in this piece (5 years old), where Alex Stamos characterizes the issue as "trivial and of little value"? > Facebook has big pockets. As a bug bounty hunter, I'd not worry about being screwed by them. It's by far one of the best paying bounty programs. I don't think the middle sentence is related to the other two. Every company I triaged for had deep pockets. I routinely saw payouts in excess of $1,000 and not uncommonly several thousand. I don't recall ever seeing one that hit $10,000. But what I'm describing above are ways for the company to screw the researcher without really being motivated by stinginess. Fairness is not a concern. |
|
|
I sadly wasn't there at the time, and Stamos post doesn't refer to it at all. So I can't comment on this.
I guess the truth on this is just known to the researcher, their boss, and Stamos.
> But what I'm describing above are ways for the company to screw the researcher without really being motivated by stinginess. Fairness is not a concern.
That's a fair point, and I can see how representation can cause a significantly different payout decision, especially if there is no technical payout panel with a security background.
Phrasing something as "Reflected XSS" vs. "Account Take-Over via XSS" sounds undoubtedly different. But it is impact-wise probably the same.
The problem is mitigated at Facebook by having engineers in the payout panel that understand the tech stack and security implications. But I think many companies don't have that luxury, and you undoubtedly may end up with inconsistencies.
Thanks for sharing your perspective. Much appreciated!