top | item 47064741

(no title)

So is there anything that would actually satisfy crowd here?

Offer $25K and it is "How dare a trillion dollar company pay so little?"

Offer $250K and it is "Hmm. Exception! Must be marketing!"

What precisely is an acceptable number?

discuss

cwillu|11 days ago

One is a lament that the industry average is so low, and the other is… a lament that the industry average is so low. What's the problem?

hsbauauvhabzb|11 days ago

An increase in the average bug payout. Bounty programs pay low on average.

idiotsecant|11 days ago

A number better than what the exploit could be sold for on the black market

i_am_jl|11 days ago

I don't believe those numbers will ever come close to converging, let alone bounty prices surpassing black market prices.

It seems like these vulnerabilities will always be more valuable to people who can guarantee that their use will generate a return than to people who will use them to prevent a theoretical loss.

Beyond that, selling zero-days is a seller's market where sellers can set prices and court many buyers, but bug bounties are a buyer's market where there is only one buyer and pricing is opaque and dictated by the buyer.

So why would anyone ever take a bounty instead of selling on the black market? Risk! You might get arrested or scammed selling an exploit on the black market, black market buyers know that, so they price it in to offers.

DiggyJohnson|11 days ago

You can work your day job and make $20-500k/yr or pursue drug dealing and make $5-5000k/yr. I don’t think that’s actually a compelling argument for the latter even if the opportunity cost is better.