[Info-vax] The global bug bounty marketplace

[Arne Vajhøj]

On 1/20/2022 11:52 AM, Grant Taylor wrote:
> On 1/20/22 7:49 AM, Arne Vajhøj wrote:
>> - years ago those people just got a thank you email
> 
> Years ago there wasn't nearly the same market for bugs as there is today.
> 
>> - in recent years many big companies has started accompanying the 
>> thank you email with a monetary rewards
> 
> Today the big companies are now having to compete with darker hat 
> entities trying to buy the bugs and use them for malicious purposes.
> 
>> It works fine if it is people with a day job that does the work. They 
>> work every evening for months, find a bug, get a reward and buy 
>> something nice for their wife.
>>
>> It may not work fine if some young IT guy decide to not get a day job 
>> but try and live of bug bounties.  That is not stable income. And very 
>> likely it will be too low income.
> 
> I question the veracity of that.  I've seen multiple Pown-to-own type 
> competitions where winners are taking home six or seven figures.  Not a 
> bad payout for a year's worth of work, (or less).

There are some that make good money. But I suspect that
the referenced article is correct that most does not
make much money. And I also suspect that those that
are really good also would make good money doing something
else because they are good.

Based on stories like:

https://www.zdnet.com/article/google-paid-6-7-million-to-bug-bounty-hunters-in-2020/

Google paying 6.7 M$ to 662 people = average 10 K$.

https://www.zdnet.com/article/bug-bounties-heres-how-much-microsoft-paid-out-to-security-researchers-last-year/

MS paying 13.6 M$ to 341 people = average 40 K$

https://about.fb.com/news/2020/11/bug-bounty-program-10th-anniversary/

Facebook paying 2.0 M$ for 1000 reports = average 2 K$

Arne