back to article Twitch increases bug bounty payouts after source code leak by... wait, is that it?

Amazon-owned streaming platform Twitch has responded to last week's breach of its source code by increasing bug bounty pay-outs from $3,000 to $5,000, sources have told The Register. The paltry sum was announced to people signed up to Twitch's bug bounty platform, provided by "crowdsourced cybersecurity" firm Bugcrowd. An …

  1. fredblogggs

    It's a market; place your bid

    If you're offering bug bounties you need to think about them as your bid in an active marketplace. It's true that part of your bid is non-monetary: many researchers and engineers prefer to sell their knowledge to vendors and others who will use it defensively (i.e., to fix the bug). But that non-monetary component has only so much value, which differs from one person to the next -- some may be indifferent and will simply accept the highest monetary bid on offer -- and you cannot rely on it to carry the day over potentially much larger bids offered by criminals (a group that includes state actors, who have the ability to literally print money to pay for knowledge they can weaponise). As with any auction, you have to ask yourself up front how important it is to win.

    A genuine P1 bug (security-related or otherwise) is a drop-everything moment for however many engineers are needed to analyse and fix it. The type, scope, and scale of the impact that qualifies a bug as P1 depends on your business, but for a major Internet-facing service it's going to be something that is highly likely to compromise your customers' personal information, your own databases, or take out your service. Such incidents are at best costly to fix and come with reputational damage that may never be overcome. In the limit, they can threaten the very existence of your company. With that in mind, $5000 seems like a paltry bid. I'm pretty sure I'd want to reconsider that if I were in their shoes; it's easy to imagine nefarious actors offering a healthy multiple, and the cost of cleaning up from an exploit of a P1 security bug in your service is surely many times that as well.

    This is part of the cost of doing business: you can invest up front in better systems and software, and you will have fewer and less severe bugs to address later. Or you can defer that investment and either suffer the consequences of malicious exploitation or pay others more to find your bugs for you. Those are, unfortunately, the only three choices you have. Deferring investment and then demanding that others do your work for far less than it would have cost you up front is not one of your options.

    1. ShadowSystems

      Re: It's a market; place your bid

      *Jumps up & down enthusiasticly on the upvote button*

      Damn my inability to upvote the hell out of your post!

      *Hands you a pint* Drink up & congratulations for nailing the issue in the very first post. =-)

    2. jake Silver badge

      Re: It's a market; place your bid

      Something to remember is that the kids who graduated Uni/College and got into the corporate computer and networking world back when computers started becoming ubiquitous on desktops all over the corporate world are now roughly in their mid 50s.

      Note this is managers, users, coders, programmers, systems folks, everyone.

      They started commercial computer work with DOS 4.0 and Windows 2.x (or thereabouts), and have become conditioned to the Redmond Way ... In their minds (and the generations following) it's supposed to be shoddy code, it's supposed to not be secure, it's supposed to break at the least convenient time, it will crash at random, updates will make things worse, over time it gets bigger and worse, if you turn it off and back on again it might fix it (maybe; try flicking the switch again) ... these are all enshrined in the corporate attitude.

      What would be the point in building clean, elegant program code that just works when the underlying OS doesn't support such a concept?

      Those of us who started coding in the 60s or earlier are just left shaking our heads. Can you imagine what the reaction in Corporate America would have been if DEC or Burroughs or Sperry or IBM had made just one release that was as buggy as the code that is run as a matter of course on modern computers? Or worse, the drek in "the cloud"? The company's stock would have tanked, they would never have been trusted again, heads would have rolled ... ugly wouldn't even begin to describe it.

      But these days? Navigating through crap, buggy, crash-prone bullshit has become business as usual. Because THAT'S HOW COMPUTERS ARE SUPPOSED TO WORK! Ask any manager. Or coder under 50. (Thankfully there are still a few real programmers out there in each generation.)

      So why bother paying money to fix it? The shareholders will just bitch about the expense.

      I have no answers. I'm not sure there are any. It's probably too late.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a market; place your bid

        Nice rant

        Worth pointing out that things are several orders of magnitude more complex than back then

        Also super cars are better engineered than mass production cars, but a daily runner is a lot more useful...

        1. This post has been deleted by its author

        2. jake Silver badge

          Re: It's a market; place your bid

          "Worth pointing out that things are several orders of magnitude more complex than back then"

          Correct. I don't consider this to be a plus.

          Consider that I can fire up a computer running DOS 3.3 and then create and print a document using Wordstar or create and print a spreadsheet using Visicalc MUCH faster than I can perform the exact same task(s) using anything that Redmond is currently pushing. This is an improvement?

          (So-called "super cars" are fairly useless playthings of the idle rich. Having driven many examples, in my mind they are merely objet d'art. Useless to real people, unless you enjoy garage queens ... or worse. I knew of one guy down in Belvedere who had a '78 Countach on a rotating plinth in his living room). Their engineering is, for the most part, more form than function.)

          Note that none of this has anything to do with what I wrote.

          1. Alan_Peery

            Re: It's a market; place your bid

            Set your functionality targets low enough, and that elderly software is indeed quick.

            1. jake Silver badge

              Re: It's a market; place your bid

              If you invent needless functionality to sell updates, you'll bog down perfectly good equipment.

              1. ecofeco Silver badge

                Re: It's a market; place your bid

                This. All day long, this.

                "More tedium" with less reliability seems to be only significant changes I see these days.

      2. Anonymous Coward
        Anonymous Coward

        Re: It's a market; place your bid

        @jake: some of us that started out when you specify and are now at or nearing our 50s not only started with PCs but also with DEC Vax machines etc. and aren't conditioned as such.

        The issue is more to do with the far greater levels of connectivity today vs yesteryear and the lower barriers to entry of the ne'er-do-well. Back in the day you had to have a semblance of technical chops to cause mischief as well as access to an appropriately connected machine. Nowadays you can just download a script and cause mayhem.

        There is a touch of quick to market piss poor architecture across a lot of these companies but having pretty much anyone on the planet able to connect to your machine means even well crafted code comes with issues.

        1. jake Silver badge

          Re: It's a market; place your bid

          As I said, there are exceptions. You and I have been in the business long enough to know that the exceptions are far from the rule.

      3. katrinab Silver badge

        Re: It's a market; place your bid

        In the 1980s, the only security threats were people breaking in and stealing the hardware, and viruses coming in via floppy disk, and things like discarded reports and discarded carbon copy film in the trash.

        1. jake Silver badge

          Re: It's a market; place your bid

          There were other security issues ... modem access, social engineering, MITM attacks on switched56 lines, etc. Keep in mind that very little was encrypted, at any level.

          Also note that in the early '80s, if Twitch had actually existed, they almost certainly would have freely shipped their source code with the hardware needed to run it. The concept of closely-held source is a modern invention ... What we have today started with Bill Gates' "Open Letter to Hobbyists" in 1976, and culminated in Software Publishing Association's "Don't Copy That Floppy" nonsense in '92.

          1. ecofeco Silver badge

            Re: It's a market; place your bid

            I am shocked you are getting even one downvote for any of your posts. Every word of your posts are truth.

            Oh well, always some smeggin edgelord edgelording.

      4. Anonymous Coward
        Anonymous Coward

        Re: It's a market; place your bid

        If you're a company of the 'move fast and break things' variety, then you've already explicitly accepted that you're going to make broken things.

        A few thousand in bug bounties for other people to try and clean up your mess is peanuts.

        Personally, I really don't like using nor relying on the products of companies who have told me up front that their strategy is to make shonky stuff. Especially when just a single problem can bring the whole lot crashing down.

        1. jake Silver badge

          Re: It's a market; place your bid

          Exactly.

    3. Justthefacts

      Re: It's a market; place your bid

      I think the problem is that they are also not understood what the pay structure of the bug hunter looks like from the other side. They know (in retrospect) that the bug exists, and are making sort of mental estimate of “how much effort and skill does it take to find that bug”?

      But what about all the time and effort that ends in *not* finding the bug? That has to be paid for too.

      You can just smell the whole Silicon Valley attitude “I don’t pay for failure”. But the system only works if they do, otherwise it’s not worth spending your time trying.

      The irony is that setting the bug bounty shouldn’t be guesswork, to be arbitrarily tripled from a low base. The companies have a *perfectly good* metric of how large the bug bounty should be. At least *some* companies have an internal test- and security- teams, tasked with doing the same thing, there should by now be a fairly well-established number how many P1, P2 etc are found per thousand developer-hours.

      Just like everybody knows *roughly* what the market-salary is for a developer at a certain grade is within 20%, although it certainly can vary, and we all know some people are 5x more productive.

      If the full-time bug-hunters are getting £26k pa, while the going rate for base-level silicon valley dev is easily $100-150k nowadays, you know that you aren’t paying the bug-hunters for their time.

      I’m not advocating paying salary rather than bounty, rather just a more realistic costing of the labour to find a bug, given that almost everything you will do does *not* find a bug.

      1. jake Silver badge

        Re: It's a market; place your bid

        "the whole Silicon Valley attitude “I don’t pay for failure”."

        Assumes facts not in evidence ... How many billions in Sand Hill Road venture cap dollars have been spent on vapo(u)rware (and out right scams, see Theranos for example) over the last half century?

        There is a reason that us locals call it Silly Con Valley ...

        1. ecofeco Silver badge

          Re: It's a market; place your bid

          Emphasis on "con."

  2. low_resolution_foxxes Silver badge

    Odd timing that both Facebook and Twitch went down at the same due to "server configuration changes"?

    1. chuBb. Silver badge

      Not really both are "move fast and break things" companies

      In other words meet kpis and hope for best, then when it blows up and new managers come in, test until quarterly bonus is threatened, get sloppy, break it again and jump ship to do same shit elsewhere

  3. NoneSuch Silver badge
    Linux

    How Much Are You Willing To Lose Per Day For a Data Breach?

    Divide by ten and that's your bug bounty reward.

  4. Anonymous Coward
    Anonymous Coward

    And this offer comes

    from the richest corporation on Planet Earth.

    As someone in an episode of The Simpsons said "I didn't get rich by writing checks".

    1. Joe W Silver badge

      Re: And this offer comes

      "It is easier to get money from poor people" Gunilla Goodmountain.

      1. jake Silver badge

        Re: And this offer comes

        "There's a sucker born every minute." —David Hannum

        (Probably. Supposedly in reference to PT Barnum's roll in the Cardiff Giant hoax. Or so the story goes. My gut feeling is that the very same phrase was in widespread use long before humans invented writing.)

      2. waldo kitty
        Unhappy

        Re: And this offer comes

        "It is easier to get money from poor people" Gunilla Goodmountain.

        yep... it is easier for a poor man to get $10 each month for a pair of paper boots than it is for him to save $100 for a better pair of boots that will last for years instead of just 30 days...

    2. Richard 12 Silver badge

      Re: And this offer comes

      When did Apple buy Twitch?

      Amazon cash reserves $68 billion, MS $140, Apple $195, Alphabet $132. It's quite ridiculous

  5. idiot taxpayer here again

    I am surprised that

    no one has commented on the size of the percentage that Twitch takes from it's streamers.

    https://arstechnica.com/gaming/2021/10/millionaire-twitch-streamers-react-to-their-leaked-earnings/

    Then again we're not talking about Google, Microsoft, Amazon or, especially, Apple.

    1. Anonymous Coward
      Anonymous Coward

      Re: I am surprised that

      Ummm we are talking about amazon, who do you think owns twitch?

  6. yetanotheraoc

    Cheap bastards

    What's wrong with these beancounters? It's so stupid both to offer a low top payout AND to downgrade bug severity to reduce the payouts. Just pick one. If you get to decide what is / is not a P1 bug, it shouldn't matter what the top prize is, since nobody is going to win it.

    P1: $3,000 -> $5,000 -> $1,000,000 (arbitrary large number)

    P2: $1,800 -> $2,000

    P3: $300 -> $500

    P4: $100 -> $300

    1. Anonymous Coward
      Anonymous Coward

      Re: Cheap bastards

      Yeah, that's the other angle here. Thing is, if you're the reporter, you have a pretty good idea what can be done with the bug. So it becomes a matter of fool me twice, shame on me: I know what I would do if I found a bug I know for certain is very serious and could jeopardise the vendor's entire product or service for all its customers and that vendor told me it's a P3 and handed me $500. The next time I'm selling that knowledge to the highest bidder and crossing my fingers it'll be someone really nasty like a Russian mobster or the PLA, because I won't do business twice with someone who screws me. And that kind of experience needs to be widely disseminated too, so that the vendor develops a reputation and others steer clear also.

      If you're valuing my knowledge on the basis of what you pay your sweatshop devs in Bangalore for the number of hours you think I spent obtaining it, you may as well forget about doing business. It shows you really don't understand the market for knowledge at all. By leaving these bugs for me to find instead of hiring strong engineers to address them up front, you chose to bear the risk associated with their value. When you employ engineers, you're buying a call option on their future work; when you offer bug bounties instead you're posting a bid and hoping freelancers will sell at your price. Neither of you knows for sure whether that engineer will solve really hard problems that could otherwise cost you your entire business but if so you are guaranteed the benefits; when you offer a bug bounty, though, your counterparty not only knows how long it took to find the bug but also has a pretty good idea of its value to you and is free to set the price. If you want cost certainty, you have to pay up front. Otherwise you need to accept that more valuable goods carry a steeper price tag, and if you won't pay it you can expect to find those goods ending up in others' hands instead of yours.

      It isn't surprising that Amazon are both lowballers and liars when it comes to bug bounties. By all accounts that's simply the way they do business. I wouldn't buy a computer from them, I wouldn't be their employee, and I wouldn't sell them a bug under their bounty programme. Some people seem to have made the conscious choice to do business only with the desperate. It doesn't end well.

    2. Anonymous Coward
      Anonymous Coward

      Re: Cheap bastards

      The category your vulnerability falls into is also arbitrarily decided by a mixture of the triager at bugcrowd + the company themselves. You can argue until you're blue in the face that it's quite serious but they have the final say, and there's no appeal. If they don't want to pay you a P1 fee, then they don't have to... that's why bug bounties are so broken.

  7. Swarthy

    Twitch didn't suffer a data leak

    It was an unscheduled decentralized backup

    1. Anonymous Coward
      Anonymous Coward

      Re: Twitch didn't suffer a data leak

      A "cloud" backup, even, given it's a Torrent file.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021