Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
duozerk 2 hours ago

> That's pretty bad! I wonder what kind of bounty went to the researcher.

I'd be surprised if it's above 20K$.

Bug bounties rewards are usually criminally low; doubly so when you consider the efforts usually involved in not only finding serious vulns, but demonstrating a reliable way to exploit them.

salviati 2 hours ago | parent | next [-]

I think a big part of "criminally low" is that you'll make much more money selling it on the black market than getting the bounty.

duozerk 2 hours ago | parent | next [-]

I read this often, and I guess it could be true, but those kinds of transaction would presumably go through DNM / forums like BF and the like. Which means crypto, and full anonymity. So either the buyer trusts the seller to deliver, or the seller trusts the buyer to pay. And once you reveal the particulars of a flaw, nothing prevents the buyer from running away (this actually also occurs regularly on legal, genuine bug bounty programs - they'll patch the problem discreetly after reading the report but never follow up, never mind paying; with little recourse for the researcher).

Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying. And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house.

The way this trust issue is (mostly) solved in drugs DNM is through the platform itself acting as a escrow agent; but I suspect such a thing would not work as well with selling vulnerabilities, because the volume is much lower, for one thing (preventing a high enough volume for reputation building); the financial amounts generally higher, for another.

The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group.

moring 2 hours ago | parent [-]

> Even revealing enough details, but not everything, about the flaw to convince a potential buyer would be detrimental to the seller, as the level of details required to convince would likely massively simplify the work of the buyer should they decide to try and find the flaw themselves instead of buying.

Is conning a seller really worth it for a potential buyer? Details will help an expert find the flaw, but it still takes lots of work, and there is the risk of not finding it (and the seller will be careful next time).

> And I imagine much of those potential buyers would be state actors or organized criminal groups, both of which do have researchers in house.

They also have the money to just buy an exploit.

> The real money to be made as a criminal alternative, I think, would be to exploit the flaw yourself on real life targets. For example to drop ransomware payloads; these days ransomware groups even offer franchises - they'll take, say, 15% of the ransom cut and provide assistance with laundering/exploiting the target/etc; and claim your infection in the name of their group.

I'd imagine the skills needed to get paid from ransomware victims without getting caught to be very different from the skills needed to find a vulnerability.

consumer451 2 hours ago | parent | prev [-]

I am far from the halls of corporate decision making, but I really don't understand why bug bounties at trillion dollar companies are so low.

arcfour 2 hours ago | parent [-]

Because it's nice to get $10k legally + public credit than it is to get $100k while risking arrest + prison time, getting scammed, or selling your exploit to someone that uses it to ransom a children's hospital?

consumer451 13 minutes ago | parent | next [-]

Thanks, great answer. I was just thinking from a simple market value POV.

kspacewalk2 an hour ago | parent | prev [-]

Is it in fact illegal to sell a zero day exploit of an open source application or library to whoever I want?

IggleSniggle an hour ago | parent [-]

Depends. Within the US, there are data export laws that could make the "whoever" part illegal. There are also conspiracy to commit a crime laws that could imply liability. There are also laws that could make performing/demonstrating certain exploits illegal, even if divulging it isn't. That could result in some legal gray area. IANAL but have worked in this domain. Obviously different jurisdictions may handle such issues differently from one another.

naeioi 2 hours ago | parent | prev | next [-]

The bounty could be very high. Last year one bug’s reporter was rewarded $250k. https://news.ycombinator.com/item?id=44861106

duozerk 2 hours ago | parent [-]

Maybe google is an exception (but then again, maybe that payout was part marketing to draw more researchers).

throwaway150 44 minutes ago | parent [-]

So is there anything that would actually satisfy crowd here?

Offer $25K and it is "How dare a trillion dollar company pay so little?"

Offer $250K and it is "Hmm. Exception! Must be marketing!"

What precisely is an acceptable number?

wepple an hour ago | parent | prev [-]

> but demonstrating a reliable way to exploit them

Is this a requirement for most bug bounty programs? Particularly the “reliable” bit?