Hacker News new | comments | show | ask | jobs | submit login

There's clearly a spectrum between "reward" and "extortion", but... come on. The point to a bug bounty is to make it worthwhile for smart hackers to report their findings to the company in a ethical way, which broadly means that it should be comparable to the kind of money they can make for their labor on the open market.

A hundred grand for a few weeks or a month of work is way, way above that level. This is a jackpot, not a reward. Whether Uber threw out the number or the guy demanded probably won't ever be known, but I know where I'd put my bet.




If you consider the value of such a hack on the open market, $100k makes more sense. The bug bounty program is supposed to make it more lucrative to be a white hat then to be a black hat so $100k for something this severe is in the realm of possibility. Whether it took the hacker hours or months isn't really a factor...it's just about the value of the hack.

For comparison, Apple's bug bounty program says they'll pay $100k for a hack to extract data from the secure enclave.

(Bug bounty programs are often probably underpaying compared to what something would be worth on the black market, but clean money is worth lots more than dirty money with a prison risk)


I’m sorry, but all of this comment is incorrect.

1. Vulnerabilities in the individual websites of specific companies have typically little to no salable value on a “open market”, black or otherwise.

2. People who manage bug bounty programs know this, and those programs are not designed to compete with a shadowy underworld. They’re just an incentive for reporting security vulnerabilities.

3. Apple’s security vulnerabilities actually do compete with a market for the sale of exploits, but this is because vulnerabilities in iOS or macOS represent vulnerabilities in deployed operating systems and software for which they are not the sole arbiter of an update decision.

> Bug bounty programs are often probably underpaying compared to what something would be worth on the black market, but clean money is worth lots more than dirty money with a prison risk

I say the following as someone who has: 1) managed a bug bounty internally as a security engineer, 2) managed bug hounties as a consultant for various tech companies of various sizes, 3) reported security vulnerabilities in bounty programs for companies you’ve heard of, 4) spoken professionally with engineers at tiny, small, medium and large companies running programs and 5) sold vulnerabilities for various reasons:

Bug bounty programs are emphatically not underpaying relative to a black market. Black market exchanges exist for vulnerabilities which impact operating systems, widely used open source software and languages. A key component of the value of a vulnerability is its half-life - that is to say, how long it can be expected to be useful. A vulnerability in Ubuntu has a half-life of years, perhaps decades. A vulnerability in Uber’s web applications has a half-life of one week. In 15 years, you will reliably find servers on the internet chugging along with a horribly misconfigured, vulnerable version of Windows or Debian and an open service written in Python 2.7. In contrast, Uber’s web applications will scarcely look the same in 15 years, and the company can deploy a hotfix to the entire landscape of the vulnerability (their centralized servers) in 24 hours.

Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in Facebook Ads Manager, or some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.

I’ve continually crusaded against what you’re claiming on HN for literally years now. It’s simply not true. I don’t mean to be harsh on you in particular, but the confident repetition of incorrect claims becomes frustrating.


> 1. Vulnerabilities in the individual websites of specific companies have typically little to no salable value on a “open market”, black or otherwise.

This may apply to regular random companies, but does it really apply to very known, rich brands like Uber?

> Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in (...) some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.

This is Uber we're talking about. It's not exactly an universally loved company. I can easily imagine someone interested in profiting of extra bad press and attention caused by a data breach.


>This may apply to regular random companies, but does it really apply to very known, rich brands like Uber?

I would pay 10BTC for a recent copy of Uber user db containing at least the emails, names and phone numbers of all users.


> Can you conconct a scenario in which a hypothetical sabateur manages to weaponize and capitalize on an exploit in Facebook Ads Manager, or some random Uber server with sensitive data, within a week? Sure, but it’s contrived. The risk/reward ratio just isn’t really there.

Sure kill the credit cards who gives a fuck.

Knowing where uber users residents live, their standard time home on a friday or saturday night, whether or not they're throwing up with a chance on not remembering anything (I stole) would be fantastic. Oh, I could also sell this to anyone doing ANY datamining to easily enrich their data set.

This is 10 seconds worth of thought, do you really think the Uber data set has so little value?


> This is 10 seconds worth of thought, do you really think the Uber data set has so little value?

No. I’m saying that a vulnerability in Uber’s software has very little value.

More precisely, I’ve sold data (and analysis thereof) to the financial sector. I’ve even sold unique data on Uber and UberEats specifically (not gained through a security vulnerability). Data and vulnerabilities are distinct products with separate buyers. Companies interested in data like this are mostly interested in it being sourced, at worst, through scraping or mining. They’re usually skittish about outright vulnerabilities, and have a sense of how likely it is data was obtained in a legally defensible manner.

On the other hand, buyers of vulnerabilities are mostly not using them for interesting dataset acquisition. They weaponize the vulnerabilities themselves instead of buying any single output from a vulnerability, and they mostly use them for developing botnets or constructing online “holes” for identity and credit card harvesting on an ongoing basis.

The point of purchasing vulnerabilities is gaining a privileged position for ongoing compromise that replenishes for a reasonably long time. No one is saying these vulnerabilities are bad; I’m specifically telling you the vulnerabilities are not generally salable, because the parties interested in them have little to no overlap with the parties interested in data. Furthermore, those two markets have separate intentions, processes and risk/reward ratios.

A dataset and a vulnerability that can lead to a dataset are simply not comparable. I believe someone would probably be willing to purchase this particular data, but I do not believe you could weaponize this data on an open market with any regularity, and bug bounty programs would not take this into account when calibrating their payouts. Finding an organization willing to buy a legally sourced, unique dataset is comparatively easy. So is finding an organization willing to buy a vulnerability that can be weaponized towards a significant number of servers on the internet. But finding an organization willing to buy a vulnerability just for its data value, or an organization willing to use illegally sourced data, is hard. Not impossible, but rarer than either of the other two examples. There is not a regular market for it.


I agree with you bug bounty programs for small companies/products aren't competing with the black market, but big ones like Apple, Uber, and Facebook certainly are. I was really only referring to these large folks. I agree that an XSS bug on AcmeBizSoftCo doesn't have much of a black market.

To take your FB Ad Manager example...just recently there was bug that allowed people to start campaigns for free (by somehow charging the bill to unrelated accounts). A bug like that has a small half-life but if it lets someone use up a million dollars in targetted ads over one weekend for free I would think you could still get quite a bit for it on a black market.


User personal data, account information and relationships, financial data, and the PR impact of having these hacks made public in the wrong light during an ugly news cycle carry value far beyond the half-life of the vulnerability itself.


I would quibble with this, because in general things like share price have little impact from security breaches unless it’s something like medical R&D.

But instead of taking that argument I’m going to say this: I have been heavily involved in bug bounty programs during my career thus far and I’ve sold data to hedge funds for companies like Uber (not using security vulnerabilities, however). In fact, I have specifically used unique, originally sourced and curated UberEats data to forecast GrubHub’s revenue and market share over time. I’ve even managed bug bounties for several companies and participated in them. I’ve had people threaten me with taking a vulnerability public in the hopes of receiving a payout, etc, etc.

I’m harping on all of this because vulnerabilities and data are very different products, and have very different markets. A vulnerability is salable to a black market under specific conditions; the people interested in acquiring unique data are, to a first approximation, none of the people interested in buying a vulnerability. One of these markets is interested in illegally generated, extremely high profit on an ongoing basis which they can mostly control end to end. The other market is very risk-averse, and is interested in profitable analysis of the data.

You could certainly find some counter-party willing to buy this kind of data eventually, but it would not be a traditional blackhat organization, and it would not be a routine regularity as it is with vulnerability exchanges. Further, bug bounty programs still would not calibrate their prices based on this, because it would be rarer than vulnerabilty sales.


You're quite misinformed on the value of such a vuln on the black market. Access to companies is indeed something that blackhats monetize. It's different from selling 0day in some software, but there is a market for it.


This is not access to anything. This is a static dataset.


Or you can go into the business of running exploits as a service ala Cellbrite.


If we were talking about any other company I'd probably agree with you, but I definitely think it would be Uber's style to offer 100k as hush money without being asked for hush money.

"Just throw money at it" seems to be a more integral strategy of their corporate playbook than most companies.


> The point to a bug bounty is to make it worthwhile for smart hackers to report their findings to the company in a ethical way, which broadly means that it should be comparable to the kind of money they can make for their labor on the open market.

To a first approximation, no bug bounty for web application or mobile application software competes with any black market. In fact there is no black market for those vulnerabilities. These vulnerabilities exist in a centralized system, and therefore have virtually no half-life, which means little to no value. They’re not salable.

Much to the chagrin of people who speculate one way or another about bug bounty payouts on message boards like this one, bug bounty programs do not calibrate their program payouts to compete with a real or perceived black market.


I'm in agreement that the person here couldn't readily turn around and sell the exploit, but what about the data?


At that point you’re comparing apples to oranges. There is a white hat market for company vulnerabilities, but not a black hat market for them. Whereas for stolen data, there is a black hat market, but not a white hat market.

The reason for this is obvious: bug reports have value to a company, but dumps of their own internal data do not. The only buyers of vulnerabilities on a white hat market are the companies who are victims of the vulnerabilities. The bug reports are valuable to those companies because it allows them to patch previously unknown vulnerabilities. But data breaches are not valuable to them in the same way. Why would they pay you for their own data that they already have? It’s not analogous to buying vulnerabilities, because the company gains nothing new.

Therefore the argument that the stolen data would be worth more on the black market than the white market is a moot point, because there is no white market for stolen data. If you’ve stolen data, you’ve overstepped the bounds of any reasonable bug bounty program, at a greatly increased risk of prosecution. Your options are to 1) stop and do nothing, 2) sell the data on the black market, 3) attempt to responsibly disclose the breach, knowing you are in a vulnerable legal position having downloaded the data, or 4) extort the company.

(Notice that “sell the data on a white hat market” is not an option.)

What we do not know in this case is if the hacker chose #3 or #4. It seems like he used social engineering to get the GitHub credentials, which would normally fall out of bounds for bug bounty programs (never mind the data breach itself). That seems to support the speculative conclusion that the hacker went into this with malicious intent. So does the fact that he resorted to hackerone seemingly post-facto, as the article mentions, so Uber could “verify his identity.” But perhaps he was just naive. We don’t know.

I second what others have said. The fact that this is Uber makes me inclined to believe they initiated the offer of $100k.


It's more than that even. As a consumer, you should have a right to know when data you entrusted to someone has been compromised. Uber needed to report this even assuming this was a "white hat" hacker.


Indeed. And that is likely one of many reasons why bug bounty programs typically forbid downloading any more data than necessary to prove a bug.


Comparing a bug bounty to a jackpot seems reasonable. Researches are paid when they find something. They might work for many hours and find nothing. So when they do find a bug, the payout has to be worthwhile.


You may be right, but you can't just compare to the market rate of a month's labor. You have to price in the rather high probability that no serious bug would be found and the risk-adjusted rate of return.


Uber hast been created to bet on a billion dollar jackpot so I think they should respect people who are betting on smaller jackpots. I don't understand why the little guy is supposed to ask only for his labor rate while the company is shooting for the really big money.


I hesitate to defend Uber, but I think you're mixing the post-hoc reward of $100,000, with the propter hoc expected value of the guy's work.

Such reward schemes are set up as a sort of competition, or bet. You invest time not knowing if you will find anything worthy of a reward. If you expect to have a 10% chance of finding a vulnerability, the reward needs to be 10x the value of the work for it to a worthwhile use of your time.


A few weeks work with no guarantee of success, they could have worked for a year and made $0 so the good times have to earn you enough to get through the bad.


There are companies who charge 50 to 100K for vulnerabilities test and you will get a 20 to 100 page report with one guy onsite for 5 to 8 days, so no 1 month work is definitively more than 100K worth, even Infosec analyst will get it as one month pay


The appropriate calculation is the amount of it took to find the issue, divided by the probability of not finding the issue.


$1k/hr consulting fee for 100 hours. That seems normal.




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: