[Topfi]

I am genuinely surprised that these have been and continue to be so low. Do not know why but I was under the impression, that we had already gotten into the 1 Million USD range. While I do not know how much an interested party would realistically pay for an exploit that enables the complete takeover or even just limited access to a Gmail/Google account, I am pretty sure it has to be an order (perhaps even orders) of magnitude more than 75k.

Looked into it and am equally surprised to find that others, like Microsoft [0] also have such low bounties for these types of attacks.

While providing such an exploit to the affected company has value beyond the bounty (potential job offers, media exposure, credibility, ethical considerations, etc.), weighing that up against life-changing money really makes it hard to fault those who take the more lucrative route of selling these to the highest bidder, whoever that may be.

Seriously, Alphabet and Co. can afford more, especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.

[0] https://www.microsoft.com/en-us/msrc/bounty

[ghostpepper]

You might find these slides on the 0day market interesting

https://github.com/mdowd79/presentations/blob/main/bluehat20...

Unfortunately the talk wasn’t recorded but he did do a follow up interview on a podcast called Security, Cryptography, Whatever

[Thorrez]

That seems to be saying that currently there is no market for website vulnerabilities, but a market for them might develop in the future as memory corruption vulnerabilities disappear due to mitigations.

This Google/Alphabet VRP change I think is pretty much just about website vulnerabilities.

Disclosure: I work at Google but not on the VRP.

[IshKebab]

Skip to the end if you want to see the numbers.

[doe_eyes]

There are two reasons for this. First, you're not competing with the gray market because it's quite simply a folly. If a government badly wants a 0-day, they will essentially pay whatever it takes. If you offer a million, they will offer two. You offer five, they offer ten. If you write bug-free software, they will send in Jia Tan. Their alternative to using a 0-day might be trying to hit someone with a million-dollar bomb launched from a $100M fighter jet.

But the second reason, quite prosaically, is that individual bugs aren't worth that much to a business. You can't build your security program on the expectation that you could reliably squash all bugs. You also invest in being able to detect and contain breaches - and if you do that, even the best exploit is a crapshoot for the attackers. Maybe they get in, lose access five minutes later, and are out a million bucks.

In other words, the point of paying for bugs is to raise the bar, and to get some independent validation of your security practices - not to make attacks impossible.

Finally, there's a retention element to it. Paradoxically, you might be worse off if your bounty program instantly turns your best bug hunters into millionaires. If they no longer need to make rent, they might decide that they like farming more.

[yieldcrv]

Organizations in the crypto space more frequently value their bug bounty programs more accurately and pay in very clear terms, almost instantly

Some take a bureaucratic approach but they are labeled as such on the bug bounty marketplaces

Web 2.0 organizations aren’t just competing with the gray market, they’re competing with Web 3.0’s licit market, while 3.0 is competing with immediate weaponization which is far easier to monetize

[doe_eyes]

I don't think it's about accuracy. It's just a different world. A bug in a smart contract exposes them to unavoidable, catastrophic losses. An XSS on google.com... doesn't.

[yieldcrv]

those worlds compete for mindshare

people don't consistently enter the same market for less compensation when given the choice

[j45]

A thought about when these big bugs occur, and bounties are awarded, they can't look too great.

I wonder if it's because Google was hit with more issues because they started doing cloud apps a bit before microsoft, amazon, etc.

The example that comes to mind is Gmail and it's rapid growth and issues it learned to sort out while it was becoming workspace.

No cloud is perfect, however I have heard different clouds have different maturity levels in certain areas of their security.

Something to always think about when using the cloud, which is someone else's computer.

If something goes wrong at the Cloud provider you'd have to deal with securing it some how moving forward anyways, so why not when selecting a cloud and trying to be hybrid cloud, or cloud agnostic.

[joshuamorton]

On the other hand, if you boost these too much, you're now incentivizing your full time security researchers to have white box access to leave and make more money doing white hat black box vuln checking.

And from there it follows that maybe the market rate isn't really that high, zerodium pays, maybe 2x what Google does for similar vulnerabilities, which is more but not a ton more.

[omoikane]

Maybe these bounties are intentionally set to be roughly comparable to annual salaries. A very high bounty might encourage developers to plant backdoors instead, a la cobra effect:

https://en.wikipedia.org/wiki/Perverse_incentive

[ThePowerOfFuet]

Current or former employment is almost always a disqualifier for a bounty payout.

[Carrok]

Yea but I didn’t find the bug. My buddy Jim did.

[jcims]

You're making a bit of an assumption that the black market won't simply adjust to incentivize darkening the hat.

[Topfi]

Absolutely, that would most likely happen, they'd compete like any other market. However, a more appropriate financial compensation would still come with all the other benefits that I mentioned. Reporting to the affected company tends to come with positive public exposure, potential long-term job offers from that company or others, and receiving taxable income with few complications. Even selling exploits to intelligence agencies or nation-states likely involves more hurdles compared to dealing with companies like Alphabet or Microsoft.

Receiving 75k from Google versus a few hundred thousand from a less reputable source is a different scenario compared to getting a few hundred thousand from Google versus slightly more from those same sources. In the former, I'd have a hard time not going for the large yet morally dubious payday. With the latter, I feel like most, myself included, would stick with Google

[immibis]

Reporting a security issue to a company also comes with a large risk of being arrested and sentenced. Maybe not Google in particular, but it doesn't happen infrequently that someone reports a security issue to a company and is then convicted of hacking. Those people definitely wish they'd sold their exploit to hackers.

[iftheshoefitss]

On bro plus that side doesn’t pay taxes / it’s free cash anyway

[thfuran]

Or at least that's what Al Capone thought.

[iftheshoefitss]

On fratello officer I filed my taxes I got the receipts right here lol

[doix]

So morality aside, I imagine dealing with large amounts of money that you can't explain the origin of isn't simple.

You can't just do a bank transfer, so you're probably getting paid on crypto. Converting the crypto to fiat will probably be a pain. All the reputable exchanges have KYC requirements. You'd have to explain how you came to acquire so much crypto.

I guess you could get paid in a suitcase of cash, that has it's own headaches.

Personally, I'm just picturing so many headaches that even if I wasn't morally against selling it to the highest bidder, it doesn't feel worth it. Selling to some other "proper" corporate entity or a government agency seems reasonable, but are they offering more than Google?

[tedivm]

There are legitimate companies that buy exploits, not just ones that are on the dark web and pay in bitcoin.

Just with a quick check I found Zerodium, which claims to offer bounties up to $2.5 million. They say their clients are "government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities."

https://zerodium.com/

[wavemode]

At the same time, it's likely that Google's (along with most companies) VRP are not actually trying to compete on price with government exploit purchasers. If such an institution is trying to get into someone's Gmail account, they will probably find a way anyhow. And if they do need a certain exploit to do it, they have infinite funds to just keep upping the price they offer.

It's pretty much "Mossad/Not Mossad" threat modeling: https://philsrandomblathering.quora.com/The-Mossad-Not-Mossa...

[doe_eyes]

No one paying you $2.5 million for exclusive access to an exploit is planning to do anything even remotely "legitimate".

On a good day, you might be selling to the CIA and helping catch bin Laden. On a bad day, you're selling to the Saudis and getting a journalist killed. I bet that "mainly" is doing a lot of heavy lifting in that sentence - plus, "Europe" includes Albania, Belarus, portions of Turkey, and more.

[hobo_in_library]

On a worse day, you're selling to Israel and getting a 6 year old girl's jaw blown off

[tedivm]

I meant legitimate in the sense that you won't go to jail, and you'll get an I9 for your taxes. I did not mean it as ethical, and I definitely agree with what you're saying there.

[teractiveodular]

"Legitimate" in the limited sense that you can invoice them for cybersecurity consulting, they'll pay you in fiat, and you can report this income to the tax office.

[tkz1312]

There is a thriving “grey” market for vulnerabilities, where brokers buy vulns and sell them on to e.g. intelligence agencies. This is well established and unlikely to cause much legal difficulty for the bug finder.

[soferio]

I agree. As a Nest user, I am astonished at how low the bounty is.

[amelius]

This is why a hacker should consult an agent that has more experience in negotiating with these companies.

[saagarjha]

You don’t negotiate bug bounties really.

[j0hnyl]

That's not how it works.

[amelius]

This is how it _should_ work.

[ForHackernews]

> especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.

This assumption seems misplaced. Can you give an example of a security exploit seriously impacting the finances of a publicly traded company?

This is also on the front page https://news.ycombinator.com/item?id=40944505 and I really doubt AT&T stock will suffer significantly. Maybe they'll miss Q3 targets, but they'll be fine. All the execs will get their bonuses.

[hn_go_brrrrr]

Google has 12B shares outstanding. A 1 cent hit to share price is already far more than $100K.

[lrem]

Google has thousands of things going for and against it at any point in time. Unless an event is bad enough to wipe out tens of billions at once, there’s no way to quantify. And what can’t be measured can’t be a target.

[iaaan]

Solarwinds

[Topfi]

How could I forget that one. Solarwinds is an even better example than the ones I remembered (Equifax and Yahoo).

[Topfi]

I have a few examples I remembered where there was both short term impact on the stock directly after the publication of a breach and the stock remaied at a lower point across an extended period of time. I have to admit though that it is nearly impossible to attribute how much of this drop in value and the stock staying at that lower level can be directly attributed to the breach compared to other reasons, such as general performance, etc. However, on the other hand, this also does not reflect the likely high spending a company tends to do in the aftermath of such a breach on better security, PR, settling lawsuits, etc. which most certainly exceed 75k, a rounding error for business of any significant size.

Anyways, here a two examples of the top of my head:

Of course, the big one, Equifax, which had a significant drop in the week after the announcement. It took roughly two-years for the stock to trade at pre-breach levels [0], likely in part due to their less than stellar handling of the aftermath, though I'd still consider that directly linked to the breach.

More to the point, there was Yahoo, which I wanted to mention because its impact was more clearly measurable. What was weird about that one is that their case centered around a belated (by two years) announcement of a breach they faced between 2013 and 2014. That did impact their stock, but more importantly, it's the reason for a 350 million USD reduction in the acquisition price Verizon had to pay for Yahoo. Verizon agreed to cover half the cost of non-SEC government investigations and third-party lawsuits (which I feel also would fall under hitting their "bottom line"), while Yahoo covered the other half and any liability from shareholder lawsuits or SEC investigations. That 350 million USD plus fines to me is the clearest number one can put on a breach and I feel it shows that, whatever one thinks is fair compensation for reporting 0-days, 75k is far removed from that.

So yeah, there have been cases where a security exploit seriously impacted the finances of a publicly traded company and keep in mind, I only stuck with actual reductions in their stock value/acquisition price.

[0] https://www.marketwatch.com/investing/stock/efx

[1] https://www.geekwire.com/2017/verizon-pays-350m-less-yahoo-f...