[Info-vax] The global bug bounty marketplace

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Jan 20 14:10:16 EST 2022 

On 2022-01-20, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 1/20/2022 8:33 AM, John Dallman wrote:
>> Over the last decade or so a global market has developed in bug reporting
>> for bounties. Bruce Schneier writes about a report on how it works:
>> <https://www.schneier.com/blog/archives/2022/01/an-examination-of-the-bug-
>> bounty-marketplace.html>
>
> I am not sure that I can follow the point of "bug bounty
> programs being exploitation".
>

Bug bounty programs originally started as a way for people to
receive money from the organisation involved instead of selling
the vulnerability elsewhere.

The mindset in that article seems to be about turning it into a
full time job which to me was really a bit of a surprise, as the
original motivation was for organisations to be told about the bug
if you happened to find something and paying a bounty was considered
to be a worthwhile investment by the organisation for that.

There was never an implication originally (that I am aware of) that it
would be the only source of income for most people.

> The context is that:
> - big companies has always been happy if someone
>    informed them about bugs in their products
>    discretely
> - they can avoid a lot of hassle and bad publicity
>    by getting the fix out before the bad guys starts
>    exploiting
> - years ago those people just got a thank you email

Getting a CVE reference for the bug has been very important for
security researchers for a very long time, and way before the bug
bounty programs started. A CVE has long been something you can
reference when talking about the bug and something you can put
on a CV if you are applying for security related jobs.

To get a CVE, you need to report it to the organisation, which by
itself was considered sufficient motivation for a long time.

> - in recent years many big companies has started
>    accompanying the thank you email with a monetary
>    rewards
> - and why not? those big companies typical make billions
>    in profit and they save millions by getting those
>    bugs early so paying out thousands is not a big deal!
>

It's also more of a reputation thing. The organisation fixes the bug
in a controlled manner instead of it suddenly becoming a major news
story when someone finds it and uses it to exploit systems or
extract private user data.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list