The value is not about the time spent finding the bug. It's about the severity of the issue, the scale, & the competitive cost of me selling it on the black market. If Apple left open a 0-day rootkit exploit that took me somehow 1 day to find it's still worth hundreds of thousands of dollars.
This thread is interesting because it shows different ways people value their work.
This is reasonable if you look at it as "just another job" -- you're being paid to build Good Software, so just another day at work. Or you're doing a Good Thing by helping a lot of people not get pwned.
This is unreasonable if you look at is as value-creation: "how much is this worth on the black market" or "what is this worth to Slack as a company".
Other people can get into the socioeconomic or means-of-production or entrepreneuring implications of all this, but I just think whether you downvoted or upvoted this provides a useful mirror into how one values one's own professional work.
The difference I think most people are missing is that Hackerone will not pay you if you don't find a bug. So they do not value your time, they value the results.
Leads to the conclusion that they should pay for the results and not for the time it took to find it. Also, there might have been weeks of failed attempts before finding this.
Well yeah if your comparison is that the person's morals allow them to just turn around and sell it in the black market, maybe they could've paid more. But the reality of HackerOne is that most people are really just doing it as a hobby or side project that happens to generate cash.
Some people build 10 different static website generators, others do bug bounties. It doesn't mean they'd go on to sell these exploits and risk going to jail.
It's not the people using HackerOne to be concerned about. It's the ones who don't use HackerOne because they realize they'd get more money on the black market.
When it comes to vulnerabilities with a large enough impact it isn't enough to learn about most of them, because all it takes is one financially motivated actor to weaponize things.
There is almost certainly no liquid black market for this bug, even though Slack is very important to lots of businesses. It had no half-life at all (the fix was one-and-done) and doesn't fit into any existing business/operational model (nobody has an infrastructure where different targeted Slack bugs are pin-compatible drop-ins).
This assumes the researcher is indifferent to white/black hatting. In all likelihood, the researcher may have some personal preference to be a white or black hat, and it could depend on the ethics of the company in question.
There is also the cost of the likelihood of being caught while selling vulnerabilities on the black markets. If fascists have some personal stake in the company, black hatting would likely involve more careful and high stakes anonymity measures. Remember that US federal law enforcement agencies operate tor exit nodes!
I'm genuinely curious about this. If you ask for black-market rate compensations for disclosing a vulnerability, how is that not extortion? "Pay me this sum or I / someone will use this against you." seems to be what you are suggesting.
I think you're looking at this from not quite the perspective I'm taking. I'm not saying that any individual is going to go "Pay me this or I will attack you. No that's not enough. I want $X". That is extortion of course.
I'm looking at it from the perspective of the market economics. Reward programs are about incentivizing people to do responsible disclosure. If the market (i.e. the black market here) pays significantly higher for an exploit then a reasonable company will try to reflect their payout to match what the "market" has valued that exploit to be worth. This way someone who would otherwise have sold on the black market may be incentivized to do responsible disclosure instead (significant payout, maybe not as high but 100% legal & no legal risk). It's all about shifting the incentives and structure before people even make any decision. I think it's silly that companies get dinged that responsible disclosure programs don't pay out at the same rate as the black market. There's a legal risk element their not factoring into the math. But it should be roughly comparable (my uneducated gut check is within ~20%).
Think of it like drugs. Marijuana on the black market is cheaper. People still opt to buy legal marijuana even though it's slightly more expensive because it's safer, legal, & vendors are accountable to their customers & community. If the cost grows too large then the black market starts to grow again (e.g. cigarettes are a notorious example of this due to taxation as an attempted lever to kill it).
It's very different than selling drugs. This bug's only value is for someone to use it in order to defraud someone else, and that's clear to understand. They are both illegal, but the two actions are not morally equivalent to most people.
And you can always look at things like the Zerodium Price List. I don't know that it's taken very seriously in its particulars, but the general structure of it mirrors what I've heard from other sources.
You'll notice on the Zerodium list that they will pay for serverside RCE in web apps --- but only a particular kind of web app: the kind that is deployed in lots of places. National IC agencies will, for instance, pay for phpBB RCE, because they have targets that use phpBB, and there are lots of phpBB's (when you hear people talking about how valuable a web bug is, ask yourself whether that person has mentioned the weird market for phpBB bugs --- something I've had firsthand [refused!] experience with). What you won't see are bugs in SAAS applications. Again, the reason is that a phpBB vulnerability has a half-life: everyone has to install the patch once it's burned.
I have no evidence for what I'm about to say here, so take it with a grain of salt:
I assume you can get paid for a vulnerability even as esoteric as this Slack ATO bug. But you'll get paid for people who are buying Slack accounts, not Slack bugs. That is: you'll have to be the one exploiting it, and you'll be making one-off deals to use it to get targeted accounts. People sell all kinds of accounts; it would not surprise me even a little to hear that there was a market for company Slack accounts.
But to participate in that market, you'd almost certainly have to directly enter a criminal conspiracy. You wouldn't be selling a bug to a market; you'd be participating.
There's definitely a bunch of cottage industry opportunities for crooks in this space, yes, if you are morally flexible and either can't be extradited to the victim's country or are confident of your OpSec.
For me the plausible deniability stops at something like the firm we hired (years ago, they were subsequently bought by CSID which was in turn purchased by another of my employers because it's a small world and apparently some people have unbounded appetite for risk) which steals credentials from people who steal credentials.
I can just about imagine sleeping after doing that all day. Because at least some of the time, indirectly, and after somebody gets paid, you're helping. It'd be like working in insurance sales. Your employer creams a profit off misery, but arguably the misery would be worse without them, maybe.
But any of these "Well I could get more money from bad guys" arguments miss in my opinion the most important constraint which is that most people don't want to work for the bad guys. Peanut farmer or crook is an easy question for most of us.
> This seems like a week of pay for a pretty good software dev.
Wait, 6500 * 4 * 12 = 312,000/yr
Might be a bit high for a week :P
EDIT: Okay turns out that if you live in the Bay area this isn't unheard of - the rest of us make 4x to 5x less then that (Saying this as a mid-level software dev from West Michigan).
