story
From another thread here, the author talking about the time involved:
>Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
I'll round his estimate up to 6-8 hours, or basically a normal work day:
$5000 / 8 = $625 an hour
$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually
Let's say it took an entire week's worth of time (comes out at $125/hour):
$5000 * 50 = $250,000
Is that range wildly out of line for what Facebook would potentially be paying for a full-time employee? The actual salary number would probably be lower, this would be including the cost taxes/insurance/perks/etc.
Even as a contractor, where the "expect to bill ~1000 hours a year" rule of thumb is/was common, puts the range at $125,000-$625,000.
Seems as though if you can reliably find organizations willing to pay these amounts and have the skill/luck/grit to grind out vulnerabilities at those companies you'll make a decent living. Or, put another way, these company's are paying bounties comparable to what the same research would have cost coming from a staff member.
Would it make sense to award bonuses to every in-house security researcher based on an estimated, hypothetical worst-case cost? It doesn't take much imagination to see how that reasoning applies to other positions. Do accountants get big bonuses for avoiding multi-million-dollar errors? Lawyers for avoiding costly lawsuits? Operations (IT and otherwise) for keeping infrastructure running? Customer service for assuaging disastrous public interactions? Stretched to absurdity, would you pay for a taxi based on how badly you need to get to point B?
I believe saying "preventing these kinds of problems (doing this work) is what we pay you for" is a reasonable conclusion and paying a market rate for that general value makes more sense versus calculating a kind of commission per individual contribution. That does have a certain appeal (and I wouldn't mind seeing a discussion about it) but I haven't gotten the impression that's the perspective of those who think all* bug bounties should be higher.
*: Added caveat as I'd bet every researcher can name companies that pay poorly
Is there much reading available for that kind of thing?
But, a good starting point might be the analyses people have done on the Hacking Team leak.
To me, the latter seem like a much more obviously good idea than the former. Notably, issues of somebody going out of scope- like the Facebook issue a while back- mostly disappear. Bounties on things like Chrome seem to be almost drama-free; the worst possible case, aside from somebody 0-daying a bug out of anger, is somebody not getting paid.
Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.
Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.
If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...
You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.
Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".
I have heard many instances where it isn't the case (some bugs are often being exploited for months before the company finds out)... and you probably did too... but anyways, as an example, you don't need a lot of time to copy lots of data...
https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/
https://www.wired.com/2015/07/hacking-team-leak-shows-secret...
Think about the steps required to acquire and monetize stolen photographs from Facebook accounts. Only a few of those steps involve Facebook vulnerabilities, just like only a few of the steps involving building a software company involve actually writing software.
But in order for that business to work at all, it needs a steady supply of Facebook vulnerabilities; all the work setting up a sales channel for photos, in reconnoitering accounts to figure out which ones to raid for photos, in determining what the prices for photos should be, in scouting out new customers for photos, and most of all providing OPSEC for a ridiculously risky criminal venture, all of it is at a standstill until someone (a) sells them a vulnerability and (b) shows them how to pivot that flaw to acquiring photographs.
Nobody is running that business, ready to receive Facebook CSRFs (or even serverside RCEs) so they can get another few weeks of Facebook photo-snarfing in. One way you know that is that when celebrity photos are stolen in phishing attacks, it's a major news story.
Vulnerabilities that command high prices on the black market do so because they slot into already-existing criminal enterprises. If the enterprise does not yet exist, the vulnerability is worth zero.
http://pagesix.com/2014/05/15/employee-who-leaked-solange-ja... http://www.newyorker.com/magazine/2016/02/22/inside-harvey-l...
they would be more worried about a gawker/hulk hogan like lawsuit then getting criminally prosecuted
PS: and by the way, I'm in no way circle jerking, this is not reddit, I'm here for a serious discussion on the topic.
There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives.
A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself.
- How likely it is for someone else to find it (even internally)
- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing
- How much would it cost to repair the trust of the users if the breach occurs. PR, marketing, organizational costs
Do you think a big company would pay $5k for a PR campaign to fix a mess due to a breach of private data? Not remotely.
Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
>I think $5,000 is a joke
This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty. Here is good comment on the topic of bug bounty rewards: https://news.ycombinator.com/item?id=11249173
If you can't find a buyer and/or would most likely be unwilling to commit a crime, it's a moot point.
You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.
edit
Actually, now that i think about it, someone in the right situation could probably make a nice living for a few years buying cheap/obscure exploits for lots of companies that provide bug bounties and submitting them. Beer money at least, perhaps tuition.
Seems sort of on the scale of small time drug dealer. Illegal, very risky in the long term, but possible to get away with for a few years if you're cautious.
I tend to agree. They should probably add a zero to that.
Obviously $5,000 is a lot of money, but not to Facebook, and especially not in the context of fixing serious vulnerabilities on a platform that has 1.65B users.
If Facebook paid more they'd enhance their security in the process, at the cost of what amounts to chump change for them.
People might mostly take what they're offered, have it amount to a decent enough hourly rate but there will be that one in ten or one in a hundred unhindered by moral and/or legal considerations.
At that point, it turns into a cost calculation - perhaps it would indeed be cheaper to pay tenfold or more to a hundred people than have just one sell their bug/exploit/whatever to another, more interested buyer?
To incentivize people to tell them and not sell it to hackers? Because these sorts of things are very valuable to Facebook and they have gobs of money? Because a higher total would make more people interested in looking for issues?
There really should be a bug marketplace, instead of one side having all the power and paying pennies.
If you believe otherwise, you're missing a business opportunity. Go create a "bug market" for Facebook and Google serversides. It's not illegal to buy vulnerabilities, or to sell them (so long as you're reasonably sure they're not going to be used as part of a specific criminal enterprise --- but don't worry, if you stick a $5000 price tag on a serverside bug, or even a $500 price tag, you can be pretty sure it won't be used by criminals).
However I do believe saying you discovered a pretty serious bug by putting it on a market sends a strong message. Your system is vulnerable and you are too cheap to pay up.
