[Info-vax] The global bug bounty marketplace
Arne Vajhøj
arne at vajhoej.dk
Thu Jan 20 09:49:53 EST 2022
On 1/20/2022 8:33 AM, John Dallman wrote:
> Over the last decade or so a global market has developed in bug reporting
> for bounties. Bruce Schneier writes about a report on how it works:
> <https://www.schneier.com/blog/archives/2022/01/an-examination-of-the-bug-
> bounty-marketplace.html>
I am not sure that I can follow the point of "bug bounty
programs being exploitation".
The context is that:
- big companies has always been happy if someone
informed them about bugs in their products
discretely
- they can avoid a lot of hassle and bad publicity
by getting the fix out before the bad guys starts
exploiting
- years ago those people just got a thank you email
- in recent years many big companies has started
accompanying the thank you email with a monetary
rewards
- and why not? those big companies typical make billions
in profit and they save millions by getting those
bugs early so paying out thousands is not a big deal!
It works fine if it is people with a day job that does
the work. They work every evening for months, find a bug,
get a reward and buy something nice for their wife.
It may not work fine if some young IT guy decide to
not get a day job but try and live of bug bounties.
That is not stable income. And very likely it will be
too low income.
But is that the big companies fault?
And do we really want them to drop the bug bounty programs
due to this?
Arne
More information about the Info-vax
mailing list