It's not worth it. Payout by default is at least 90+ days (or 3 months) after disclosure (this is standard operating procedure to give company time to fix vulnerability). Then some companies have some bullshit internal company procedure for payout ("only at the end of the quarter"). Some companies dangle the carrot of "higher payouts" but after an internal review by some fresh out of college, security bootcamp asshole. The committee downgrades it to a less severe vulnerability (ie, fuck you).
The number of clueless individuals running these bug bounty programs is not worth it. The only reason most people do it is for the "fame" within the security community; or that occasional researcher that was just bored.
Even worse, some companies (like South Korean companies) will not even pay out if you are not a citizen of the country. Makes no sense to me.
Agreed about boredom. There are times I've discovered issues incidentally, checked if the company had a bug bounty program. If they don't, I may chuck a vague email to security@, if they do I'll write something quick and take whatever they send. I've seen $3k once from this, but usually it's not enough to justify the time it takes to do the write up. There are far too many: out of scope, we already know, or other non-payment results.
They pay much less than selling the equivalent vulnerabilities to unnamed entities (there are brokers for it).
But, and this is the important part, in this case there is zero moral quandary, whereas when selling an 0day there is a significant moral question depending on who you’re selling to.
Some people do make it their full time gig, but it’s fairly unpredictable is the issue; much like “gig work,” you’re not guaranteed to find a vuln, and the timing between findings is going to be inconsistent at best.
It's also easier than "gray market" sales. Bug bounties pay for a wider variety of bugs, including plenty of stuff that's of no interest to your perhaps-Saudi buyers; and they don't require you to develop a weaponized exploit - "hey, I noticed this crashes" is often enough.
Plus, less risk of waking up and finding out you've been sanctioned by OFAC or something like that.
They're rich, don't hold civil liberties in high esteem, and don't have a lot of in-house expertise. So, yeah - along with some neighboring states, they're a buyer for tools they use to target journalists, dissidents, etc.
China and Russia are on the same boat, but they are far more capable with in-house tech.
OK i see, re-reading this with your top level post is "not all vulnerabilities are the type that could be bought by (insert state actor)", which makes sense (for some reason I thought you meant that they were buying the type of bugs that would end up getting reported to a BBP, but I just misread the original comment).
And yes the Saudis definitely bought software from NSO Group but it's also been used by plenty of other governments, including half the EU...
(Israel is known to be prolific; many brokers and the whole industry on all sides has a lot of people and entities from Israel. Saudi is publically obv active due to stories like MSB pwning Bezos over Whatsapp)
Fair enough, but do people claim them after finding them by accident? Or do people see a bounty and then put in up to X hours of effort (before either succeeding or giving up)? Does that model end up with a reasonable hourly rate?
I'm trying to figure out the labor-side economics of this.
Generally the supply side is getting a massive discount on these vulnerabilities compared to their potential costs. Although perhaps the discount applies is appropriate considering how few vulnerabilities do result in observable expense.
The economics of bug bounties from a “bug hunters” perspective are quite interesting! I’m going to give the short version.
There are public (such as the one being discussed here) and private programs.
To gain access to private programs you have to be invited to participate - you get an invite usually based on reputation for providing good reports on public programs.
Platforms like H1 and BugCrowd act as intermediaries for this, with reputation scores, etc.
It should also be noted here that if you rediscover a bug someone else reported, you don’t usually get paid.
With public BBP/VRP, you are competing against everyone in the space against a relatively limited subset of targets. The way to “win” is to either “go deep” against high payout targets, expending a lot of effort in the hopes of avoiding a duplicate finding, or to invest heavily in automation, or some combination of the above.
With private programs you are competing against many less people and have a higher probability of payout for time/effort expended.
The guys who tend to make a shitload of money off BBP/VRP either are focused solely on a handful of high payout targets, or have invested heavily in automation to grind public programs, gain invites to private ones, and repeat.
A lot of the better offerings in the “continuous vuln scanning” or “attack surface monitoring” market are from people who have been “full time” bounty hunters for a while, built out significant automation platforms, and pivoted to offering it as SaaS products to enterprise for detection of issues.
There’s a lot more to it, but it’s probably worth a blog post at some point tbh.
In my own experience, as someone who has participated in bug bounties and vuln disclosure programmes in my free time for about a decade now, I usually land a couple of nice payouts per year and a lot of issues reported without payment.
It is uncertain work. As well as finding the exploit, you've got to write it up in such a way that it is convincing to the people reading it. Then you have to argue with them if they don't accept it. You have to pay currency conversion fees and, depending on where you live, tax on income.
That's a lot of work. But it is significantly easier (I imagine) than selling to the mafia. The bad guys don't have a publicly available schedule of payments. And if they don't pay, you can't complain publicly.
Both. And the issue about trying to relate it to an hourly rate is the immense unpredictability. Some months (and some companies) may have a lot of vulns in a new product and it’s open season for a bit, but then it slows down, and you’re constantly hunting for new bounties.
It’s not entirely unlike a proper consulting gig, where half your time is spent doing the job, and half your time is spent building a pipeline of future work.
Only economical way is to collect a salary from the NSA while hunting for the exploits. Otherwise seems too much of a lottery on both discovering a valuable exploit and getting a sufficient payout.
There are brokers for website vulns? This presentation says there are brokers for clientside RCE vulns, but doesn't mention any brokers for website vulns.
It depends on the vuln and the need. For example, an XSS won’t net you very much, unless the buyer already has a browser RCE but needs a way to deliver it to a target they know uses a particular service or browser, and for that they may need an XSS.
Still won’t net you as much as an RCE, but they do get bought sometimes.
I've been on both sides of bug bounties for many years. In truth, no one is offering a comparable bounty to what you can get selling exploits to a reseller. The closest would be Apple or Google with their million dollar bounties for cell phone exploits, but even that is likely underpaying.
The real value of bug bounties is for less sensitive products that aren't really big targets for nation states. Startups with products that haven't seen wide deployment in sensitive industries, for example.
There are many people who are perfectly happy getting "rep" and lower payouts for finding flaws in even the highly targeted applications, thankfully.
There's a lot of participation from India and other lower-income countries. Not a bad thing - it keeps a fair number of talented school-age kids gainfully employed, and it's a lot more dignified than being paid peanuts for solving captchas.
The highest ROI for me were bugs I found incidentally. Like I was building a client for some auth scheme and... yikes the documentation made it clear they are vulnerable. No POC needed, mostly linked to the part of the spec they forgot.
Bug finding requires theory building and guesswork. You're working blind. Reporting requires detailed technical writing and POC implementation. It's time consuming, so unless you're able to crank out findings or submit the same issue to multiple companies in parallel, the hourly rate will be low. Companies are flooded with low quality reports, so you really need to make the issue crystal clear.
Private bug bounties are better because there's usually obvious issues, but you're racing to be first to report.
Contract security work is much more predictable. Companies who "haven't thought about security before" are desperate for help. You can get more money building a system inventory, recommending updates for EOL systems, finding leaked passwords, and turning on firewalls. Basically engineering teams that know they have issues, but need someone external to make it clear to management that they need to invest in security. I've never failed to find at least one way to get system root or cloud admin rights on those contracts.
My experience participating in Google's program has been pretty good. The reward money is a nice supplement to my grad student stipend. I got a free trip to DEFCON out of it, too.
The number of clueless individuals running these bug bounty programs is not worth it. The only reason most people do it is for the "fame" within the security community; or that occasional researcher that was just bored.
Even worse, some companies (like South Korean companies) will not even pay out if you are not a citizen of the country. Makes no sense to me.