On Thu, Aug 06, 2020 at 07:28:07PM +0000, Livingood, Jason wrote: > I have heard that some security researchers may not bother reporting > absent a small bounty. This is true. One of the many problems with this approach is that the bounties are, indeed, small. Serious bug research may take months of painstaking work; offering someone $500 for that isn't going to really motivate them to share their result when they may be able to go elsewhere and get $50K for it. This is particularly glaring in the case of companies which are reporting multi-billion dollar profits and paying some employees multi-million dollar salaries, yet for reason can't seem to find more than pocket change for bounties. While it's true that some reported bugs are the result of minimal work and the use of an automated tool, some of them require months of diligent, careful work. A bounty for such things should reflect the current market value of that labor plus a bonus because all of that work was done on a speculative basis plus a bonus because that work fixes a problem that got by everyone else plus a bonus because it will save the company the much larger expense of dealing with the fallout if it's exploited. Bug bounties probably need to start at five to six figures. Another problem is that companies often refuse to pay. This is understandable if it's a non-bug or if it's something found by an automated tool that they already ran 63 times and know about, but it happens often enough with serious/detailed/complete bug reports that it has created an atmosphere of distrust. So anyone who's got a viable bug now has a choice: offer it to a company which may well use its legal and bureaucratic resources to weasel out of paying even a minimal amount or offer it on the open market to buyers who also may weasel out of paying but *might* cough up a lot more for it. If those offering bug bounties want to be taken seriously in the marketplace, then they need to start adding more zeroes to the right side of their bounties. ---rsk
