[Info-vax] The global bug bounty marketplace
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Thu Jan 20 14:10:16 EST 2022
On 2022-01-20, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 1/20/2022 8:33 AM, John Dallman wrote:
>> Over the last decade or so a global market has developed in bug reporting
>> for bounties. Bruce Schneier writes about a report on how it works:
>> <https://www.schneier.com/blog/archives/2022/01/an-examination-of-the-bug-
>> bounty-marketplace.html>
>
> I am not sure that I can follow the point of "bug bounty
> programs being exploitation".
>
Bug bounty programs originally started as a way for people to
receive money from the organisation involved instead of selling
the vulnerability elsewhere.
The mindset in that article seems to be about turning it into a
full time job which to me was really a bit of a surprise, as the
original motivation was for organisations to be told about the bug
if you happened to find something and paying a bounty was considered
to be a worthwhile investment by the organisation for that.
There was never an implication originally (that I am aware of) that it
would be the only source of income for most people.
> The context is that:
> - big companies has always been happy if someone
> informed them about bugs in their products
> discretely
> - they can avoid a lot of hassle and bad publicity
> by getting the fix out before the bad guys starts
> exploiting
> - years ago those people just got a thank you email
Getting a CVE reference for the bug has been very important for
security researchers for a very long time, and way before the bug
bounty programs started. A CVE has long been something you can
reference when talking about the bug and something you can put
on a CV if you are applying for security related jobs.
To get a CVE, you need to report it to the organisation, which by
itself was considered sufficient motivation for a long time.
> - in recent years many big companies has started
> accompanying the thank you email with a monetary
> rewards
> - and why not? those big companies typical make billions
> in profit and they save millions by getting those
> bugs early so paying out thousands is not a big deal!
>
It's also more of a reputation thing. The organisation fixes the bug
in a controlled manner instead of it suddenly becoming a major news
story when someone finds it and uses it to exploit systems or
extract private user data.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list