| Much of the conversation here centers around the value of reporting to Facebook vs. selling to black hat. This is the wrong paradigm to view this issue through. Taking the view that selling to blackhats is ALWAYS wrong, it may still make sense for Facebook to pay significantly more to find vulnerabilities in their system. A less vulnerable system is one with a competitive advantage, and I think Facebook is missing an opportunity to tout their security credentials. Let's take a back of the envelope calculation. Say instead of $4,500, they paid each of the 66 people who submitted a vulnerability $50,000. And since we're not halfway through 2013 yet, let's assume that in total 150 people will submit valid security holes to FB this year. That's $7.5 million dollars paid out. Now, once word of a $50k payout gets out, say 10x the number of people try to find vulnerabilities, and the success rate increases linearly. So Facebook pays $75 million a year. What are the benefits of this program? I'd say you get a few major benefits vs. the current situation:
1. You will definitely convert some blackhats away from exploiting FB data in exchange for $50k legally obtained
2. You convert a lot of people currently looking for security exploits in Google, Amazon, etc... to searching for FB vulnerabilities.
3. As a result you have a much more secure platform.
4. You can leverage these payments through media and PR to legitimately show that you care about security.
5. You combat competitors by touting a more secure platform. $75 million is not small change when you look at FB's operating income, but it's not going to break the bank either. The point is that it may well be a rational decision on FB's part to offer significantly more and it has nothing to do with the black hat market value of the exploit. |
Presumably, one would see diminishing returns in the ability to find "low hanging fruit" exploits, and thus the economics @ a $50k pay-out would be even more attractive for Facebook.