|
|
|
|
|
|
by doe_eyes
702 days ago
|
|
|
There are two reasons for this. First, you're not competing with the gray market because it's quite simply a folly. If a government badly wants a 0-day, they will essentially pay whatever it takes. If you offer a million, they will offer two. You offer five, they offer ten. If you write bug-free software, they will send in Jia Tan. Their alternative to using a 0-day might be trying to hit someone with a million-dollar bomb launched from a $100M fighter jet. But the second reason, quite prosaically, is that individual bugs aren't worth that much to a business. You can't build your security program on the expectation that you could reliably squash all bugs. You also invest in being able to detect and contain breaches - and if you do that, even the best exploit is a crapshoot for the attackers. Maybe they get in, lose access five minutes later, and are out a million bucks. In other words, the point of paying for bugs is to raise the bar, and to get some independent validation of your security practices - not to make attacks impossible. Finally, there's a retention element to it. Paradoxically, you might be worse off if your bounty program instantly turns your best bug hunters into millionaires. If they no longer need to make rent, they might decide that they like farming more. |
|
|
Some take a bureaucratic approach but they are labeled as such on the bug bounty marketplaces
Web 2.0 organizations aren’t just competing with the gray market, they’re competing with Web 3.0’s licit market, while 3.0 is competing with immediate weaponization which is far easier to monetize