undefined | Better HN

0 pointsmanquer5y ago0 comments

Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .

Nothing in the world can protect you from poor hiring .

If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .

Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .

Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .

It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.

0 comments

pantaloony5y ago

Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)

[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.

j / k navigate · click thread line to collapse