In the way that they're getting pennies on the dollar. Of course they don't have to participate, but neither do workers in any other economy where slavery was abolished, so I don't see the point you're making.
This isn't a market in any classical sense. First because Google decides what your bug is worth only after you submit it, second because the quantity of the product is indeterminable, and lastly because it includes participants at the state level on the buy side with basically infinitely deep pockets.
I think it depends on how you look at it. If your treated it as a job where you're trying to make a living from bounties then I think it is hard to do that, but if you do it as a side project or you happen to stumble on an issue then 5k or whatever is a nice bonus for reporting the issue responsibly.
Exactly. Bug bounty seems like one of the smartest financial decisions a company can make. As for devs, it seems like a good deal if they're going to be finding these vulnerabilities anyway
anyone have data on comparable companies' bug bounty payouts? $10m seems like a drop in the bucket for an org worth nearly $2 trillion, but its hard to say without seeing what similar-size companies do
One way to look at it is a small price to pay, relative to the cost of those vulnerabilities being discovered and exploited in ways that cause major brand damage, negligence liabilities, and regulatory pressure.
(Though, as developers, we shouldn't forget: not continuously creating vast numbers of defects in the first place would be better for society, and for the professionalism of our field.)
Google spending $10M is roughly equivalent to their share price moving 1/10 of 1 penny. Compare this to the cost of an exploit making into the wild and causing potentially hundreds of billions in value being lost.
From this perspective one could make a reasonable argument that the bounty should be far higher.
Exploits have a market clearing price, and for most vulnerabilities, that price is drastically lower (often asymptotically approaching zero) than technologists not i the field assume.
Exploits can also cause damage, and the scale of damage inflicted doesn't have to connect to the market clearing price; that's a valid point to make. But it doesn't necessarily follow from it that researchers should get a bigger cut of the hypothetical damages.
The most essential thing to understand about FAANG/hyperscaler bug bounty programs is: the people running these programs are incentivized to pay out more money. Google (or at least, the people running the bounty programs) would be happier i they were paying $20MM instead of $10MM. But they modulate prices to attract more and better submissions, and they can't raise prices "just because".
Critical exploits make it into the wild all the time. At worst they cause a tiny, temporary dip in stock price and frequently they cause the stock price to go up long term due to publicity. That is why they only spend 10 M$ on bounties, there is literally no point to spending more because the ROI is garbage.
The only reason to run a bug bounty program is optics. You run a program paying out paltry amounts so that when your security is routinely completely compromised you can say you were a upstanding company who tried to work with upstanding offensive researchers. It is those evil, dastardly criminals funded by insert government here using "advanced", "unique" techniques and who can stop that? Therefore it is not our fault, now go keep buying our products and stock even though we have made no changes to our incompetent security process. Works every time.
OK, but governments operates computers, too, and don't want other governments to be able to break into those computers, so do they just not spend a lot on making it hard for the attackers from foreign governments or is defense different from offense here in that a government's inability (the US gov at least) to pay sky-high salaries does limit its ability to create and maintain good defenses?
Offense is easy because defense is a joke. Nobody in the entire world has network connected commercial IT systems that are even minimally adequate. Yes, that includes Google, Amazon, Crowdstrike, any bank, Microsoft, Apple, Mandiant, and whoever else you care to name. All useless against small professional teams with a most a few million dollars of budget; amounts so small many of those companies have their financials denominated in larger units despite most of them spending hundreds of millions to billions of dollars trying to stop such attackers. If you are actually trying to stop a government with any of that garbage you might as well try to use an egg to stop a steamroller.
If offense is as heavily favored as you say, then how come Russia hasn't done more damage to computer systems in Ukraine or in Western countries that support Ukraine? Clearly Russia is committed to spending whatever it takes to win the war and clearly Russia is not being held back by Russian worries about how the West will respond to Russian attacks on Western computers nor is it being held back by worries that if they deploy whatever exploits they have now (in attacks on Western computers) then those exploits will not be available for a more serious conflict with the West -- the Kremlin sees the current conflict as already extremely serious and consequential.
For example, after Musk gave Starlink terminals to Ukraine (and Musk admitted as much in public) why wasn't Starlink's web site constantly being taken offline by Russian cyber-attacks? Ditto the routers that route traffic to and from Starlink's satellites.
Is it your position that Russian spies are constantly breaking into Ukrainian and Western computer systems, but then they are only exfiltrating data because if they take those systems offline then that announces to the enemy the existence of the compromise, which the enemy can then respond effectively to (e.g., by buying new servers)?
>Compare this to the cost of an exploit making into the wild and causing potentially hundreds of billions in value being lost.
Hundreds of billions?! What software vulnerability ever caused financial loss even close to that? Although you are right, that if your products are used on millions of devices you want to earn and keep users' trust. That's what Bill Gates and Microsoft realized 20 years ago[1][2] after lots of Microsoft's users and their devices got wrecked by Windows worms.
Cambridge Analytica was Facebook's screw-up on their users' data usage policy; basically Facebook enabled developers through Facebook's API and Social Graph integration siphoning of people's data for nefarious reasons. Could this be caught by public crowdsourced bug hunting project? Probably not or perhaps, if you would think about ways on how you can use people's social signals and connections to create some sort of privacy invading or flat out criminal products.
I remember that after Cambridge Analytica, Google started limiting their API scope as well.
I wouldn't classify Cambridge Analytica scandal as a software vulnerability but as a reckless data usage policy on the Facebook's part.
Google has one of the best staffed and best regarded security teams in the entire world; that consideration is not limited simply to the technology industry, but to all organizations globally. They are outgunned by the US Government, of course, but they in turn probably outgun the security teams of many other significant countries.
I had assumed Google/Microsoft/Apple had better security teams than the US Government because they could pay so much more. I wouldn't be surprised if maybe the NSA had better red teams than Google, but I'm honestly surprised the US Government outguns Google outside of that.
Exploit development is more about effort and focus than difficulty. Any halfway-competent team can completely compromise any commercial IT security system.
It is a competition to see who can crack the most eggs. Anybody can do it, but the winner is who is willing to spend the most time doing it.
Google, and any commercial non-hacking organization, just has very little incentive to really waste a lot of money on that task. Where as basically every military and law enforcement arm of the US government has a ton of incentive and boatloads of money to spend cracking eggs. The military arms certainly spend billions a year and it would be quite unexpected if the law enforcement arms are not each, individually, spending hundreds of millions to billions per year.
Is the quality lower? Maybe. But exploit development is so easy that hardly matters. If you want to hack somebody then good enough is enough.
Do you have any evidence at all that law enforcement agencies engage in vulnerability research in any significant way? I’ve never heard of a single program.
You do realize the FBI is a law enforcement agency, right? It is so commonplace and expected that they have literally issued press releases where they publicly claim to have hacked criminal networks [1].
For that matter, who do you think hired various domestic hackers out of jail?
At this point, the advantages of exploit development are so obvious and lopsided that you need evidence that an agency with motive is not engaging in exploit development. Even then, they routinely lean on the other agencies to get access to hacking capabilities that they might not have in-house, so the gap is even smaller if we talk about hacking capabilities.
Law enforcement agencies buy from exploit developers who supply complete toolchains; I don't know for sure but I kind of doubt the FBI staffs any vulnerability researchers, or even any CNI people.
40 comments
[ 5.4 ms ] story [ 114 ms ] threadApple: https://security.apple.com/blog/apple-security-bounty-upgrad... ($20M in 2.5 years)
Microsoft: https://msrc.microsoft.com/blog/2023/08/microsoft-bug-bounty... ($14M in a year)
That's the recruiter cost for 200 security personnel.
(Though, as developers, we shouldn't forget: not continuously creating vast numbers of defects in the first place would be better for society, and for the professionalism of our field.)
From this perspective one could make a reasonable argument that the bounty should be far higher.
Exploits can also cause damage, and the scale of damage inflicted doesn't have to connect to the market clearing price; that's a valid point to make. But it doesn't necessarily follow from it that researchers should get a bigger cut of the hypothetical damages.
The most essential thing to understand about FAANG/hyperscaler bug bounty programs is: the people running these programs are incentivized to pay out more money. Google (or at least, the people running the bounty programs) would be happier i they were paying $20MM instead of $10MM. But they modulate prices to attract more and better submissions, and they can't raise prices "just because".
The only reason to run a bug bounty program is optics. You run a program paying out paltry amounts so that when your security is routinely completely compromised you can say you were a upstanding company who tried to work with upstanding offensive researchers. It is those evil, dastardly criminals funded by insert government here using "advanced", "unique" techniques and who can stop that? Therefore it is not our fault, now go keep buying our products and stock even though we have made no changes to our incompetent security process. Works every time.
For example, after Musk gave Starlink terminals to Ukraine (and Musk admitted as much in public) why wasn't Starlink's web site constantly being taken offline by Russian cyber-attacks? Ditto the routers that route traffic to and from Starlink's satellites.
Is it your position that Russian spies are constantly breaking into Ukrainian and Western computer systems, but then they are only exfiltrating data because if they take those systems offline then that announces to the enemy the existence of the compromise, which the enemy can then respond effectively to (e.g., by buying new servers)?
Hundreds of billions?! What software vulnerability ever caused financial loss even close to that? Although you are right, that if your products are used on millions of devices you want to earn and keep users' trust. That's what Bill Gates and Microsoft realized 20 years ago[1][2] after lots of Microsoft's users and their devices got wrecked by Windows worms.
[1] https://en.wikipedia.org/wiki/Trustworthy_computing [2] https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...
Does seem high but Cambridge Analytica Facebook scandal comes close if were talking about market cap they (it-least temporarily) lost over 100B [1]
[1] https://www.theguardian.com/technology/2018/jul/26/facebook-...
I remember that after Cambridge Analytica, Google started limiting their API scope as well.
I wouldn't classify Cambridge Analytica scandal as a software vulnerability but as a reckless data usage policy on the Facebook's part.
In addition to the reckless policy (and oversight), I assumed they were also violating the TOS & SLA's etc of the FB api's they used.
It is a competition to see who can crack the most eggs. Anybody can do it, but the winner is who is willing to spend the most time doing it.
Google, and any commercial non-hacking organization, just has very little incentive to really waste a lot of money on that task. Where as basically every military and law enforcement arm of the US government has a ton of incentive and boatloads of money to spend cracking eggs. The military arms certainly spend billions a year and it would be quite unexpected if the law enforcement arms are not each, individually, spending hundreds of millions to billions per year.
Is the quality lower? Maybe. But exploit development is so easy that hardly matters. If you want to hack somebody then good enough is enough.
For that matter, who do you think hired various domestic hackers out of jail?
At this point, the advantages of exploit development are so obvious and lopsided that you need evidence that an agency with motive is not engaging in exploit development. Even then, they routinely lean on the other agencies to get access to hacking capabilities that they might not have in-house, so the gap is even smaller if we talk about hacking capabilities.
[1] https://www.justice.gov/opa/pr/us-department-justice-disrupt...