[flyinglizard]

Isn't $5000 ridiculously low compared to the black market value of a GitHub exploit, or the time required to develop it?

Assuming a company thinks it's pretty secure, putting real money on the line (the same money you'd normally pay an expert to pentest your system) would get some more prolific minds involved.

[tptacek]

No, it is probably not. People have weird ideas about how much random web bugs are worth. Big ticket bugs are easily monetizable, and/or attack a huge install base with a very slow patch cycle. People hear about 5-6 figure bugs, but those are typically reliable browser clientside RCEs.

[homakov]

Github also has slow patch cycle. Enterprise edition

[TomAnthony]

It is easy to think that but I think that isn't the case for a few reasons:

- You only need one person to report it, and so if Nefarious Nigel has found it and is planning to use for profit, then Sweet Sarah find it and reports it then it worked. I imagine this is the case for the majority of bugs (but can't prove it).

- $5000 isn't in a different order of magnitude to Google's rewards, and they paid out several million dollars. This demonstrates that it does motivate people but also that adding a 0 on to that would likely have a far larger impact on revenue than Nefarious Nigel and his evil plans.

- I think a large number of smart people would (rightly) be scared about taking the black market route, but are motivated when they know their isn't a legal risk. Or put differently the risk to reward ratio ("pot odds") becomes worth it for this value for legal prize.

[eyeareque]

Making 5k legally might be more appealing than making 20k on the black market, for example. When you have to hide your tracks and risk getting caught a lower for sure sum might be more appealing. Also, Github is new at this, they might raise the bounty once they see how the program progresses.

[ceejayoz]

Bug bounties are rarely competitive with their black-market value. I think in most cases they're intended more as a "thanks!" than a "please don't hack us".

[jonahx]

You're sort of just re-stating the question. I think everyone understands that's the way things are. The OP is saying that the way things are doesn't make much sense.

My guess is that the thinking goes something like this: White hats aren't going to hack us anyway, and will be fine with the tiny rewards we give them. So there's no reason to increase the rewards for them. Black hats probably aren't going to be dissuaded even by very high rewards, or perhaps even with high rewards they'd try to have their cake and eat it too, selling exploits first and then reporting them. Basically, they can't be trusted so trying to buy them off with a fair-market price isn't even worth it, so we may as well ignore them in our pricing strategy.

I don't know if that reasoning is correct, but I think approximates the thinking that leads to the status quo in this case.

[tych0]

I doubt it. Why wouldn't github want to pay more so that black hats also sell them bugs? Indeed, these are the very bugs that are going to be exploited, so it makes perfect sense for them to pay whatever it costs.

The real reason is probably: because nobody else does. I think it is doubtful black hats would sell their bugs to github unless github was paying 2-3 times the market rate, since the black hat can sell the same bug to multiple people.

[droopybuns]

It is a mistake to assume that bug bounties exist to compete with black market prices.

I argue that bug bounties are a pressure release valve for people who know that there's a problem, but are unsure if they're at risk of getting lawyer'd or prosecute'd for disclosing vulns.

No private entity can compete with nation states for vulnerability rewards.

[aspir]

Someone on the black market will almost always pay more than a company. The real value in responsible disclosure is typically from a consulting contract that may follow the report. Their leaderboard list also seems like a good way to build credibility in the community as well.

[flyinglizard]

I think an ideal balance point (for all companies, not just GH) is one where someone can make a very comfortable living finding and reporting security flaws. You simply don't do that with $100-$5k bounties. GitHub, more than nearly every company out there, is entrusted with trade secrets that are the livelihood of their customers. Paying top money to get security bugs found is not an option, but something that should be regarded as a "cost of doing business".