[consumer451]

Yes, that is actually worth it. This seems comparable to what a third party might pay.

I have always wondered why the payouts are capped at the trillion dollar corps at such low figures. It appears like $75k max and MS and $100k max at Apple. Meanwhile shady 3rd party groups will pay you 10x that, won't they?

[cge]

Cryptocurrency bug bounty programs perhaps have an advantage in that the risks of classes of bugs are often concrete, financially quantifiable, immediate, and catastrophic. A bad RCE in a mainstream OS could do untold damage to users, reputational damage to the company, and so on, but even if severe, those risks have to be estimated. But in this case, for example, it seems like the $2m bounty was for a bug that, if exploited, would have made $1b in market cap disappear. I expect it's just much simpler to convince a skeptic businessperson when the risks are so clear.

[consumer451]

That's a very solid point, as sad as it is.

I suppose the argument for OS makers to raise their rates might be that they are paying 10x below market rates, and the rates were set by the actual freaking market that exists.

If I was a congressional aide, I would definitely write something up about this when my boss was going to drag a Microsoft exec across the coals in public. I would imagine that billions in gov contracts are at risk for MS right now due to lax security. A $2M bug bounty could have prevented that.

[tptacek]

Apple outbids bottom- and mid-tier buyers, and top-tier buyers are extremely finicky about what they're buying: exploits, not vulnerabilities, for reliable bugs, with a variety of additional constraints. Apple and Google will buy exploits top-tier IC buyers won't, with less negotiation and less risk.

The major parties to this market are aware of each other and are calibrating against each other; Apple and Google aren't blowing this off. It's complicated and counterintuitive in a bunch of ways.

[stevage]

I wonder if very large bounties create incentives to create bugs...

[dheera]

There could also be a reverse bounty paid as a salary bonus to the devs if there is no security bug found in N months. A "code quality bonus", if you will. Though only to encourage quality control.

Intentional bug creation should probably result in firing, unless it was done under duress.

[consumer451]

Oh yeah, the old cobra effect. However, you could only pull it off once. I am sure a postmortem of all related design and commits would be done, correct?

Also, FAANG level salaries are pretty high for anyone involved with that type of code, right?