Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jijijijij 18 hours ago

> That's not how any of this works.

Yes, evidently not.

Just because on average the intelligence agencies or ransom ware distributors wouldn't pay big bucks for XSS on Zerodium etc. doesn't mean that's setting the fair, or wise price for disclosure. Every bug bounty program is mostly PR mitigation. It's bad PR if you underpay for a disclosed vulnerability, which may have ended your business, considering the price of security audits/practices you cheaped out on. I mean, most bug bounty programs are actually paid by scope, not market price for technically comparable exploits. If you found an XSS vulnerability in an Apple service with this scope, I bet you would have been paid more than 4k.

tptacek 18 hours ago | parent [-]

Nobody is buying anything on "Zerodium".

jijijijij 18 hours ago | parent [-]

I wasn't aware they are gone. It's not my game, replace with whatever shady exploit trader/market out there.

tptacek 18 hours ago | parent [-]

I do not in fact think you would make a lot more than $4000, or even $4000 in the first place, for an Apple XSS bug, unless it was extraordinarily situationally powerful (for instance, a first-stage for a clean, direct RCE). Bounty prices have nothing at all to do with the worst-case damage a motivated actor could cause with a vulnerability.

jijijijij 17 hours ago | parent [-]

https://security.apple.com/bounty/categories/

The lowest tier is $5k. XSS up to $40k. I think we're talking exfiltration of dev credentials...

tptacek 17 hours ago | parent [-]

Nice, I hadn't seen that. Well, there you go: the absolute most you're going to make for the absolute worst-case XSS bug at the largest software firm in the world.