I once reverse engineered a Gmail worm found in the wild. The underlying exploit ended up being a security scan bypass in Google docs. I spent a lot of time submitting a bounty report, but I made one fatal mistake: I used URL redirection in the PoC. It was automatically rejected even though that was an example of content that the scan normally detects, not the actual vulnerability. It was closed as not eligible, then silently fixed a week later.
Edit: I checked the emails to refresh my memory. A human acknowledged that it was a flaw in the security scanner and forwarded it to the drive team, then a bot (AFAICT) determined that it was not eligible based on metadata in the report.
Edit 2: I did get one thing out of it. They sent me an invitation to a Bounty Craft event in Las Vegas during Def Con which I was attending that year (likely the actions of another bot scraping the email list). I got there early and accidentally sat down in the Microsoft Security Response team's couch area while they were all up getting food. They were nice people. They realized I never picked up swag on the way in and someone took me back to the door to get it. Apparently since I was with one of the event organizer and they said "you forgot to give him a t-shirt" they assumed I was staff and gave me a staff t-shirt. The event was 100% about how the sponsor companies were investing in automated fuzzing technologies and basically didn't need bug bounty hunters anymore. Slap in the face.
I understand the point you're making about incentives, but the phrasing is poor. The reason people shouldn't sell exploits to the highest bidder isn't because the vulnerable software author refuses to pay a bounty.
People shouldn't sell exploits because it's a crime that hurts people.
In the movie Independence Day the aliens computer systems were hacked with a few hours worth of work. Why were they hacked and destroyed? Because nobody reported and worked on security incidents of course. Why would anyone need to in a militaristic society?
My story is silly, of course, but the point is real. If you don't attack and then fix systems, a lot of people will get hurt.
That's better phrased, indeed. The problem with your earlier statement is that the incentives are not for the people you are talking about.
You don't offer rewards to prevent criminals from selling exploits. Criminals are going to sell exploits anyway. Bug bounties have nothing to do with criminal behavior.
Bounties are there to incentivize the honest people to do security work. And the response of an honest person being denied a bounty IS ABSOLUTELY NOT to turn around and sell it.
Edit: I checked the emails to refresh my memory. A human acknowledged that it was a flaw in the security scanner and forwarded it to the drive team, then a bot (AFAICT) determined that it was not eligible based on metadata in the report.
Edit 2: I did get one thing out of it. They sent me an invitation to a Bounty Craft event in Las Vegas during Def Con which I was attending that year (likely the actions of another bot scraping the email list). I got there early and accidentally sat down in the Microsoft Security Response team's couch area while they were all up getting food. They were nice people. They realized I never picked up swag on the way in and someone took me back to the door to get it. Apparently since I was with one of the event organizer and they said "you forgot to give him a t-shirt" they assumed I was staff and gave me a staff t-shirt. The event was 100% about how the sponsor companies were investing in automated fuzzing technologies and basically didn't need bug bounty hunters anymore. Slap in the face.