[Info-vax] The global bug bounty marketplace
Grant Taylor
gtaylor at tnetconsulting.net
Thu Jan 20 11:52:49 EST 2022
On 1/20/22 7:49 AM, Arne Vajhøj wrote:
> - they can avoid a lot of hassle and bad publicity by getting the
> fix out before the bad guys starts exploiting
That assumes that the company cares enough, is capable, and actually
release a fix. Take a look at the Microsoft Exchange fiasco that was
late 2020 / early 2021.
> - years ago those people just got a thank you email
Years ago there wasn't nearly the same market for bugs as there is today.
> - in recent years many big companies has started accompanying the
> thank you email with a monetary rewards
Today the big companies are now having to compete with darker hat
entities trying to buy the bugs and use them for malicious purposes.
> It works fine if it is people with a day job that does the work. They
> work every evening for months, find a bug, get a reward and buy
> something nice for their wife.
>
> It may not work fine if some young IT guy decide to not get a day
> job but try and live of bug bounties. That is not stable income. And
> very likely it will be too low income.
I question the veracity of that. I've seen multiple Pown-to-own type
competitions where winners are taking home six or seven figures. Not a
bad payout for a year's worth of work, (or less).
--
Grant. . . .
unix || die
More information about the Info-vax
mailing list