[yieldcrv]

> And there just aren't enough security people yet that market forces have commoditized bounty finding.

I have the opposite conclusion there, crypto organization sponsored bug bounties are far more accurately valued than Web 2.0’s arbitrary adversarial bug bounties, and have attracted tons of developer talent to crypto bug bounties and the crypto ecosystem as a whole

[j0hnyl]

Crypto bug bounties require specialized low level knowledge. Web 2 pentesting is akin to a qa checklist. Imo op is right that web2 bounties are commoditized.

[yieldcrv]

More commoditized but vastly mispriced, especially consequential ones. but there are many laymen and seasoned programmers that would consider web 2 bug bounties to be very specialized, at the same time cosmos and EVMs have been around for at least 7 years now and many devs have only done that work - which is actually a problem in recruiting as many of these specialized crypto devs are quite junior

when Apple is going to fight tooth and nail to not pay you $10,000 while the black hat government contractor will pay $1,000,000 for the same exploit, the market is saying what the real price is and its at parity with what Web 3 is paying

[bigiain]

> and have attracted tons of developer talent to crypto

And yet: "Both issues were caught after the code had been audited, merged, and slated for release"

I wonder who did those audits?

[usmannk]

The answer to this question is out there, but the reports are not published yet.

I caution readers to not make rash judgements on their skill like this though. These bugs are really hard to find, and it was a minor miracle that I noticed these ones at all. I actually had a whole list of critical bugs in this codebase ready to report before the V2 upgrade was merged to master (which would put it in scope for a bounty). However the auditors managed to find every single bug on my list. I only noticed the ones that eventually made it here later, by a stroke of luck, and after I had already spent a ton of time looking at this codebase without noticing them.

[yieldcrv]

congratulations ser

did you try other things like try to get employed by the team, or consider submitting an altruistic pull request? or was the bug bounty the adequate incentive from the getgo

[mhluongo]

Cool thing about the space — you can likely check the source yourself + find the audit reports!

[yieldcrv]

were you being snarky about the word talent, got it, please see the forum guidelines about substantive discussion, believe it or not they apply to crypto discussion here too