Twitch increases bug bounty payouts after source code leak by... wait, is that it? Amazon-owned streaming platform Twitch has responded to last week's breach of its source code by increasing bug bounty pay-outs from $3,000 to $5,000, sources have told The Register. The paltry sum was announced to people signed up to Twitch's bug bounty platform, provided by "crowdsourced cybersecurity" firm Bugcrowd. An …
If you're offering bug bounties you need to think about them as your bid in an active marketplace. It's true that part of your bid is non-monetary: many researchers and engineers prefer to sell their knowledge to vendors and others who will use it defensively (i.e., to fix the bug). But that non-monetary component has only so much value, which differs from one person to the next -- some may be indifferent and will simply accept the highest monetary bid on offer -- and you cannot rely on it to carry the day over potentially much larger bids offered by criminals (a group that includes state actors, who have the ability to literally print money to pay for knowledge they can weaponise). As with any auction, you have to ask yourself up front how important it is to win.
A genuine P1 bug (security-related or otherwise) is a drop-everything moment for however many engineers are needed to analyse and fix it. The type, scope, and scale of the impact that qualifies a bug as P1 depends on your business, but for a major Internet-facing service it's going to be something that is highly likely to compromise your customers' personal information, your own databases, or take out your service. Such incidents are at best costly to fix and come with reputational damage that may never be overcome. In the limit, they can threaten the very existence of your company. With that in mind, $5000 seems like a paltry bid. I'm pretty sure I'd want to reconsider that if I were in their shoes; it's easy to imagine nefarious actors offering a healthy multiple, and the cost of cleaning up from an exploit of a P1 security bug in your service is surely many times that as well.
This is part of the cost of doing business: you can invest up front in better systems and software, and you will have fewer and less severe bugs to address later. Or you can defer that investment and either suffer the consequences of malicious exploitation or pay others more to find your bugs for you. Those are, unfortunately, the only three choices you have. Deferring investment and then demanding that others do your work for far less than it would have cost you up front is not one of your options.
Something to remember is that the kids who graduated Uni/College and got into the corporate computer and networking world back when computers started becoming ubiquitous on desktops all over the corporate world are now roughly in their mid 50s.
Note this is managers, users, coders, programmers, systems folks, everyone.
They started commercial computer work with DOS 4.0 and Windows 2.x (or thereabouts), and have become conditioned to the Redmond Way ... In their minds (and the generations following) it's supposed to be shoddy code, it's supposed to not be secure, it's supposed to break at the least convenient time, it will crash at random, updates will make things worse, over time it gets bigger and worse, if you turn it off and back on again it might fix it (maybe; try flicking the switch again) ... these are all enshrined in the corporate attitude.
What would be the point in building clean, elegant program code that just works when the underlying OS doesn't support such a concept?
Those of us who started coding in the 60s or earlier are just left shaking our heads. Can you imagine what the reaction in Corporate America would have been if DEC or Burroughs or Sperry or IBM had made just one release that was as buggy as the code that is run as a matter of course on modern computers? Or worse, the drek in "the cloud"? The company's stock would have tanked, they would never have been trusted again, heads would have rolled ... ugly wouldn't even begin to describe it.
But these days? Navigating through crap, buggy, crash-prone bullshit has become business as usual. Because THAT'S HOW COMPUTERS ARE SUPPOSED TO WORK! Ask any manager. Or coder under 50. (Thankfully there are still a few real programmers out there in each generation.)
So why bother paying money to fix it? The shareholders will just bitch about the expense.
I have no answers. I'm not sure there are any. It's probably too late.
This post has been deleted by its author
"Worth pointing out that things are several orders of magnitude more complex than back then"
Correct. I don't consider this to be a plus.
Consider that I can fire up a computer running DOS 3.3 and then create and print a document using Wordstar or create and print a spreadsheet using Visicalc MUCH faster than I can perform the exact same task(s) using anything that Redmond is currently pushing. This is an improvement?
(So-called "super cars" are fairly useless playthings of the idle rich. Having driven many examples, in my mind they are merely objet d'art. Useless to real people, unless you enjoy garage queens ... or worse. I knew of one guy down in Belvedere who had a '78 Countach on a rotating plinth in his living room). Their engineering is, for the most part, more form than function.)
Note that none of this has anything to do with what I wrote.
@jake: some of us that started out when you specify and are now at or nearing our 50s not only started with PCs but also with DEC Vax machines etc. and aren't conditioned as such.
The issue is more to do with the far greater levels of connectivity today vs yesteryear and the lower barriers to entry of the ne'er-do-well. Back in the day you had to have a semblance of technical chops to cause mischief as well as access to an appropriately connected machine. Nowadays you can just download a script and cause mayhem.
There is a touch of quick to market piss poor architecture across a lot of these companies but having pretty much anyone on the planet able to connect to your machine means even well crafted code comes with issues.
There were other security issues ... modem access, social engineering, MITM attacks on switched56 lines, etc. Keep in mind that very little was encrypted, at any level.
Also note that in the early '80s, if Twitch had actually existed, they almost certainly would have freely shipped their source code with the hardware needed to run it. The concept of closely-held source is a modern invention ... What we have today started with Bill Gates' "Open Letter to Hobbyists" in 1976, and culminated in Software Publishing Association's "Don't Copy That Floppy" nonsense in '92.
If you're a company of the 'move fast and break things' variety, then you've already explicitly accepted that you're going to make broken things.
A few thousand in bug bounties for other people to try and clean up your mess is peanuts.
Personally, I really don't like using nor relying on the products of companies who have told me up front that their strategy is to make shonky stuff. Especially when just a single problem can bring the whole lot crashing down.
I think the problem is that they are also not understood what the pay structure of the bug hunter looks like from the other side. They know (in retrospect) that the bug exists, and are making sort of mental estimate of “how much effort and skill does it take to find that bug”?
But what about all the time and effort that ends in *not* finding the bug? That has to be paid for too.
You can just smell the whole Silicon Valley attitude “I don’t pay for failure”. But the system only works if they do, otherwise it’s not worth spending your time trying.
The irony is that setting the bug bounty shouldn’t be guesswork, to be arbitrarily tripled from a low base. The companies have a *perfectly good* metric of how large the bug bounty should be. At least *some* companies have an internal test- and security- teams, tasked with doing the same thing, there should by now be a fairly well-established number how many P1, P2 etc are found per thousand developer-hours.
Just like everybody knows *roughly* what the market-salary is for a developer at a certain grade is within 20%, although it certainly can vary, and we all know some people are 5x more productive.
If the full-time bug-hunters are getting £26k pa, while the going rate for base-level silicon valley dev is easily $100-150k nowadays, you know that you aren’t paying the bug-hunters for their time.
I’m not advocating paying salary rather than bounty, rather just a more realistic costing of the labour to find a bug, given that almost everything you will do does *not* find a bug.
"the whole Silicon Valley attitude “I don’t pay for failure”."
Assumes facts not in evidence ... How many billions in Sand Hill Road venture cap dollars have been spent on vapo(u)rware (and out right scams, see Theranos for example) over the last half century?
There is a reason that us locals call it Silly Con Valley ...
no one has commented on the size of the percentage that Twitch takes from it's streamers.
https://arstechnica.com/gaming/2021/10/millionaire-twitch-streamers-react-to-their-leaked-earnings/
Then again we're not talking about Google, Microsoft, Amazon or, especially, Apple.
What's wrong with these beancounters? It's so stupid both to offer a low top payout AND to downgrade bug severity to reduce the payouts. Just pick one. If you get to decide what is / is not a P1 bug, it shouldn't matter what the top prize is, since nobody is going to win it.
P1: $3,000 -> $5,000 -> $1,000,000 (arbitrary large number)
P2: $1,800 -> $2,000
P3: $300 -> $500
P4: $100 -> $300
Yeah, that's the other angle here. Thing is, if you're the reporter, you have a pretty good idea what can be done with the bug. So it becomes a matter of fool me twice, shame on me: I know what I would do if I found a bug I know for certain is very serious and could jeopardise the vendor's entire product or service for all its customers and that vendor told me it's a P3 and handed me $500. The next time I'm selling that knowledge to the highest bidder and crossing my fingers it'll be someone really nasty like a Russian mobster or the PLA, because I won't do business twice with someone who screws me. And that kind of experience needs to be widely disseminated too, so that the vendor develops a reputation and others steer clear also.
If you're valuing my knowledge on the basis of what you pay your sweatshop devs in Bangalore for the number of hours you think I spent obtaining it, you may as well forget about doing business. It shows you really don't understand the market for knowledge at all. By leaving these bugs for me to find instead of hiring strong engineers to address them up front, you chose to bear the risk associated with their value. When you employ engineers, you're buying a call option on their future work; when you offer bug bounties instead you're posting a bid and hoping freelancers will sell at your price. Neither of you knows for sure whether that engineer will solve really hard problems that could otherwise cost you your entire business but if so you are guaranteed the benefits; when you offer a bug bounty, though, your counterparty not only knows how long it took to find the bug but also has a pretty good idea of its value to you and is free to set the price. If you want cost certainty, you have to pay up front. Otherwise you need to accept that more valuable goods carry a steeper price tag, and if you won't pay it you can expect to find those goods ending up in others' hands instead of yours.
It isn't surprising that Amazon are both lowballers and liars when it comes to bug bounties. By all accounts that's simply the way they do business. I wouldn't buy a computer from them, I wouldn't be their employee, and I wouldn't sell them a bug under their bounty programme. Some people seem to have made the conscious choice to do business only with the desperate. It doesn't end well.
The category your vulnerability falls into is also arbitrarily decided by a mixture of the triager at bugcrowd + the company themselves. You can argue until you're blue in the face that it's quite serious but they have the final say, and there's no appeal. If they don't want to pay you a P1 fee, then they don't have to... that's why bug bounties are so broken.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
