[lallysingh]

Fair enough, but do people claim them after finding them by accident? Or do people see a bounty and then put in up to X hours of effort (before either succeeding or giving up)? Does that model end up with a reasonable hourly rate?

I'm trying to figure out the labor-side economics of this.

Generally the supply side is getting a massive discount on these vulnerabilities compared to their potential costs. Although perhaps the discount applies is appropriate considering how few vulnerabilities do result in observable expense.

[fullspectrumdev]

The economics of bug bounties from a “bug hunters” perspective are quite interesting! I’m going to give the short version.

There are public (such as the one being discussed here) and private programs.

To gain access to private programs you have to be invited to participate - you get an invite usually based on reputation for providing good reports on public programs.

Platforms like H1 and BugCrowd act as intermediaries for this, with reputation scores, etc.

It should also be noted here that if you rediscover a bug someone else reported, you don’t usually get paid.

With public BBP/VRP, you are competing against everyone in the space against a relatively limited subset of targets. The way to “win” is to either “go deep” against high payout targets, expending a lot of effort in the hopes of avoiding a duplicate finding, or to invest heavily in automation, or some combination of the above.

With private programs you are competing against many less people and have a higher probability of payout for time/effort expended.

The guys who tend to make a shitload of money off BBP/VRP either are focused solely on a handful of high payout targets, or have invested heavily in automation to grind public programs, gain invites to private ones, and repeat.

A lot of the better offerings in the “continuous vuln scanning” or “attack surface monitoring” market are from people who have been “full time” bounty hunters for a while, built out significant automation platforms, and pivoted to offering it as SaaS products to enterprise for detection of issues.

There’s a lot more to it, but it’s probably worth a blog post at some point tbh.

In my own experience, as someone who has participated in bug bounties and vuln disclosure programmes in my free time for about a decade now, I usually land a couple of nice payouts per year and a lot of issues reported without payment.

[edent]

Yes. I've claimed a few Bug Bounties after accidentally discovering them. For example https://shkspr.mobi/blog/2021/12/responsible-disclosure-chro...

It is uncertain work. As well as finding the exploit, you've got to write it up in such a way that it is convincing to the people reading it. Then you have to argue with them if they don't accept it. You have to pay currency conversion fees and, depending on where you live, tax on income.

That's a lot of work. But it is significantly easier (I imagine) than selling to the mafia. The bad guys don't have a publicly available schedule of payments. And if they don't pay, you can't complain publicly.

[borski]

Both. And the issue about trying to relate it to an hourly rate is the immense unpredictability. Some months (and some companies) may have a lot of vulns in a new product and it’s open season for a bit, but then it slows down, and you’re constantly hunting for new bounties.

It’s not entirely unlike a proper consulting gig, where half your time is spent doing the job, and half your time is spent building a pipeline of future work.

[kyawzazaw]

it is pretty lucrative for researchers who are unable to find similarly paying full time jobs in their countries

[0cf8612b2e1e]

Only economical way is to collect a salary from the NSA while hunting for the exploits. Otherwise seems too much of a lottery on both discovering a valuable exploit and getting a sufficient payout.