[evan_]

Bounties exist for security bugs to make it more profitable to report the bug than it is to exploit it, or to sell knowledge of it to those who would. A buy about opening 70 copies of Visual Studio is unlikely to be very profitable to exploit.

[droopybuns]

Repectfully, you are incorrect that bounties exist to make it more profitable to disclose than to sell.

Corporate bug bounties will never be able to compete with the budgets of nation states.

They are basically a way of paying respect for a moral approach to a discovery that takes great skill.

[MichaelGG]

Please tell me, what do I need to do to sell to nation states? I've found lots of remotely-exploitable (as in root or direct financial gain) in open source and commercial software. Vendors have poor responses[1] so I've stopped disclosing but if I could legally convert them into cash I'd be very interested in knowing how. For now I'm just keeping them because I might decide to open an auditing company some day and they'd be good marketing.

1: Once a company got angry and blamed me for delaying their shipping cycle. Another time they laughed when I suggested their memory corruption might be leveraged for escalation. And another vendor told me "buffer overflows would only happen maybe if you had a very fast network IO".

[x0x0]

here's a profile of a 0-day broker [1] I read a few years ago

[1] http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...

[MichaelGG]

I wonder what pricing is like for industry-specific systems. Places where a operational leak can easily cost $$$$$ a month and go rather undetected and certainly not prosecuted.

I suppose that's only valuable to criminals. Sorta like saying knowing someone's bank info can let you steal money - no one legit will pay for it.

[milkshakes]

you could always work for endgame systems

[sliverstorm]

Of course they cannot compete on a dollars-for-dollars basis, but people will often accept less return (or pay more) to stay on the up-and-up.

If a criminal would pay you $10 for your exploit, and I would pay you $9 to disclose it- many people would opt to disclose.

[pflats]

Furthermore, I imagine it could attract researchers' priority and attention to your product over a competitor who offers a lesser/no bounty.

[kalleboo]

And what if instead of $10 and $9, it's $75,000 and $1,000? And you live in an Eastern European country, where the former will feed your family for years.

[sliverstorm]

Then the ratio of people who would disclose, changes. I'm not saying the bounties prevent everyone from selling to criminals.

[evan_]

Do we have the numbers on what percentage of disclosed bugs are from Eastern Europe/"poor" countries? My guess is that gray-hat researchers take into consideration their likelihood of being caught when considering the bounty.

It would be interesting to know the percentage of people from less-developed countries who choose to claim bounties rather than exploit the bug vs. that of people in more-developed countries. I think you would probably find that fewer bug bounties are claimed by researchers in countries with less computer crime enforcement. I think you would also find that raising the payout for bug bounties would affect that likelihood.

Great thesis project for someone to work on.

[evan_]

You're right. I shouldn't have said "more profitable"- obviously you're going to get more money immediately by exploiting a bug that gives you direct access to everyone's bank account. What I should have said was "more attractive".

If I have to choose between 5 year's wages with a 90% chance of going to jail for a very long time vs. a month's wages as a bounty and a 0% chance of going to jail, I'm going to pick the bounty every time. I think a lot of people would agree with me.

As discussed further down in this thread, raising the value of the payout or lowering the possibility of being caught makes the other side more attractive.

(of course, I would choose to disclose every time, because I'm just a good person.)

[singlow]

I don't think the bounty is all that significant in deterring any would-be exploiter. Instead, it incentivizes the honest person who enjoys the puzzle of finding the exploit but would never actually try to profit from it illegally. It might allow some of those "hobbyists" to justify a little more time at the task, or attract them to one project over another.

[octagonal]

When is the last time you heard of someone going to jail because of a zero day?

[tzakrajs]

Bad guys must not agree with your assessment of 90% chance of going to jail.

[mseebach]

The risk of getting caught isn't constant, it's highly dependant on the circumstances and the perpetrator.

Also, besides the crime itself, spending a large sum of ill gotten money without getting caught is a lot easier if you already move in an environment geared for that - few things you can do in a middle class lifestyle that won't arouse suspicion.

[fyrabanks]

I think that's what defines them "bad guys".

[Fuxy]

That sounds like wishful thinking to me.

Realistically companies including Microsoft will pay as little as they can to anybody and if they get such nicely detailed bug reports for free why would they ever pay.

[catshirt]

that's the point. if they were paying to compete with the black market they would be paying more.

[droopybuns]

Is ms paying bounties?

I thought they only reward major exploit mitigation bypass.

So I am not sure whose argument this supports, but I think ms pays bottom dollar ($0) for general vulns.

[brokentone]

Bug bounties also pay for the work an individual puts in on x-random company's product. The time taken to figure out and fully demo a POC isn't inconsequential.

[fleitz]

The feds usually play on the god and country crap rather than actual cash.

[saraid216]

Speaking from experience?

[fleitz]

Just general observations from things like the rate of pay differences between the army and blackwater.

I'm imagining that if you phoned up the CIA/NSA to sell them a vulnerability that they would not pay you and instead would send some lawyers to seize the info under a flimsy pretext.

For the most part the gov't acts like working for the gov't is some noble thing worthy of losing pay over, as if it was some special honor to die being paid $40K per year instead of $400K per year.

That said if you can contract something out to the gov't through official channels they'll pay the stupidest rates imaginable. So I guess if there was an FBO contract for vulnerabilities you'd probably do quite well.

[ntakasaki]

>Corporate bug bounties will never be able to compete with the budgets of nation states.

I somehow first misread that as 'Companies will need budgets of the level of nation states if they start paying for all bugs'.

[droopybuns]

Ha!