Sign in / up

Reply to post: It's a market; place your bid

Twitch increases bug bounty payouts after source code leak by... wait, is that it?

Anonymous Coward
Anonymous Coward

It's a market; place your bid

If you're offering bug bounties you need to think about them as your bid in an active marketplace. It's true that part of your bid is non-monetary: many researchers and engineers prefer to sell their knowledge to vendors and others who will use it defensively (i.e., to fix the bug). But that non-monetary component has only so much value, which differs from one person to the next -- some may be indifferent and will simply accept the highest monetary bid on offer -- and you cannot rely on it to carry the day over potentially much larger bids offered by criminals (a group that includes state actors, who have the ability to literally print money to pay for knowledge they can weaponise). As with any auction, you have to ask yourself up front how important it is to win.

A genuine P1 bug (security-related or otherwise) is a drop-everything moment for however many engineers are needed to analyse and fix it. The type, scope, and scale of the impact that qualifies a bug as P1 depends on your business, but for a major Internet-facing service it's going to be something that is highly likely to compromise your customers' personal information, your own databases, or take out your service. Such incidents are at best costly to fix and come with reputational damage that may never be overcome. In the limit, they can threaten the very existence of your company. With that in mind, $5000 seems like a paltry bid. I'm pretty sure I'd want to reconsider that if I were in their shoes; it's easy to imagine nefarious actors offering a healthy multiple, and the cost of cleaning up from an exploit of a P1 security bug in your service is surely many times that as well.

This is part of the cost of doing business: you can invest up front in better systems and software, and you will have fewer and less severe bugs to address later. Or you can defer that investment and either suffer the consequences of malicious exploitation or pay others more to find your bugs for you. Those are, unfortunately, the only three choices you have. Deferring investment and then demanding that others do your work for far less than it would have cost you up front is not one of your options.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon