(my comment is on the overall trend, as the specifics on this incident are complex)
The issues with bug bounties as a whole is the market is skewed. For any work done by a bug bountier, there is exactly one legitimate buyer, who gets to make a significant judgement call on the value of the work done. Furthermore, this value is decided upon after the work has been completed, and has been provided to the company. In what other industries is this the case?
Alternatively, triagers have a whole pile of crap to wade through, to get to the useful material.
Furthermore, it really is hard to place an accurate monetary value on a bug that's responsibly reported, and patched. This is in part due to unclear monetary results from being breached. What precisely is the monetary loss from the recent MS Teams bug that was reported but not exploited vs the incidents this year at Twitter and SolarWinds?
Having had some involvement in the bug bounty arena as a reporter, I have to say I'm a big fan of those companies that open up all of their reports after a fix period of time. This allows them to build trust with those who look into their products, and develop a reputation for being prompt and consistent.
> Furthermore, this value is decided upon after the work has been completed, and has been provided to the company. In what other industries is this the case?
Basically only in America, though. Elsewhere the situation where someone gets into a car wreck, goes to hospital and then gets told how broke they are now just doesn't exist.
In much of the rest of the world, the health system sets and publishes the rates - and guarantees payment to service providers. The doctors perform the services, and then submit for renumeration directly to the health system. The patients, well, they're sick and don't have to worry about any of it.
Side note, just fyi, because I used to make the exact same (tiny) mistake all the time. It's spelt remuneration rather than renumeration.
I think it helps to think of the `muner` part as being derived from the same root word as money rather than `numer` as number (which had been my previous assumption I guess).
You just inspired me to actually google my memory technique above, and it turns out the `mun` is from a latin root word for gifting (think munificent)[0]
So now I can think of a munificent monetary remuneration, and should remember it!
It's not about whether the hospitals are private or not, it's whether you know the price beforehand and can make an informed choice - the most basic thing about the free market.
Funny how everybody began to downvote me after totally misunderstanding my point in muddled fashion.
I wasn't talking about hospitals going private - after all, there are private hospitals in Europe and the UK too. I was talking about poor price transparency in the US being adopted in all of those places by private players. I specifically called out government players in the US, since they engage in the same practice, while government hospitals in all of those countries do not.
> triagers have a whole pile of crap to wade through, to get to the useful material.
This is very true.
> The issues with bug bounties as a whole is the market is skewed. For any work done by a bug bountier, there is exactly one legitimate buyer who gets to make a significant judgement call on the value of the work done.
The problem, in my experience, is that they never analyze it by its potential. Why would they, they have the details now and usually your legal details so if it leaks they'll have you busted in a heartbeat and sued for contract violation.
> Furthermore, it really is hard to place an accurate monetary value on a bug that's responsibly reported
I submit that from my experience threat modelling this is actual dead simple but nobody feels the need to do it.
> What precisely is the monetary loss from ...
As you point out, the issue is that there's a single buyer. You really need to open up the bidding. If you trusted a Russian mob to pay residuals (and they probably would) you might be able to sell this for what ended up being $50M+, and the criminals could clear billions if done right. Then the next time something like this came up you'd have more bargaining power. If the company was still there...
Thomas is right that there isn't specifically a market like flippa for exploits but there are dark markets and many of the vendors would be open to a chat. I'm not rooting for this, I'm just not blind and it will happen. (Well, if it's Twitter I'm rooting a little...)
IMHO it’s only a matter of time until someone blows up a unicorn just for the thrill of it. That’s not something I’d support, but I won’t feel bad for companies that don’t pay adequate bug bounties.
As of right now, what is the lasting damage done to twitter by that attack? My argument is that it honestly wasn't that much, and thus bugs capable of that amount of damage aren't valued that much either.
The issues with bug bounties as a whole is the market is skewed. For any work done by a bug bountier, there is exactly one legitimate buyer, who gets to make a significant judgement call on the value of the work done. Furthermore, this value is decided upon after the work has been completed, and has been provided to the company. In what other industries is this the case?
Alternatively, triagers have a whole pile of crap to wade through, to get to the useful material.
Furthermore, it really is hard to place an accurate monetary value on a bug that's responsibly reported, and patched. This is in part due to unclear monetary results from being breached. What precisely is the monetary loss from the recent MS Teams bug that was reported but not exploited vs the incidents this year at Twitter and SolarWinds?
Having had some involvement in the bug bounty arena as a reporter, I have to say I'm a big fan of those companies that open up all of their reports after a fix period of time. This allows them to build trust with those who look into their products, and develop a reputation for being prompt and consistent.