WingNews logo WingNews
top | item 41612970

(no title)

voidwtf | 1 year ago

lol, that’s not how this works, that’s not how any of this works…

you cannot demand more than someone is willing to or able to pay, either a researcher out there will spend some time on it because it’s a relatively new contender to the market and they’re hoping for low hanging fruit, or they won’t.

obviously the bounty was enough for someone to look at it and get paid out for a find, otherwise we wouldn’t be having this conversation. trying to argue that they should set a bounty high enough to make it worth your time is pointless and a funny stance to take. feel free to ignore it or be upset that they aren’t offering enough to make you feel secure, it’s not going to make 100k appear out of thin air.

discuss

order

tolmasky|1 year ago

I’m not a security researcher, so it’s really not about me. You seem to be confused about what we’re even arguing about, this discussion started because someone said they wouldn’t use this browser because the low bug bounty amount represents that the company isn’t taking security seriously. My posts simply defend why this is a perfectly reasonable stance to take. They are not me demanding an increase in bug bounties so that I will work on them. A good trick if you’re ever confused about a discussion is to simply scroll up and read the posts, I’ll make it even easier for you, this is where it starts: https://news.ycombinator.com/item?id=41606272

Secondly, in a true demonstration of confusion, if you read my posts they demand nothing. They simply state what are likely outcomes of certain choices. I’m not sure how to possibly make the stance of “if you pay smaller bug bounties in a market that has other offerings, you will get less research focused on your product” any simpler. It seems fairly straightforward… and the existence of one bug report does not somehow “disprove” this. Why not make the bug bounty $1 otherwise? Oh, is that a ridiculous suggestion? Because that might not be a worthwhile enough incentive perhaps? But who are you to dictate what is and isn’t a worthwhile incentive. “That’s not how this works. That’s not how any of this works…”

> “either a researcher out there will spend some time on it […] or they won’t.”

Yes, I agree with this truism that they either will spend time on it or they won’t. Interestingly, this is true in all scenarios. My point is how to optimize researchers spending time on your product (which in theory you are inclined to do if your are offering a bounty), and I then separately even make suggestions for how to possibly require less attention by making safer choices and being able to “ride” on another project’s bug bounties.

But again, the simplest point here is that the position of “we offer low bug bounties because that is what we can afford” is fine, it’s just also absolutely defensible to be completely turned off by it as a potential user of that product, for the likely security implications of that position.