Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That is terribly low for such a critical issue. There are Ethereum L2s that pay out $2M bounties.

https://twitter.com/saurik/status/1491821215924690950



That's a bad analogy, although you point out a possibly good thing for L2/crypto - the bug bounties are massive because the projects have a silly amount of funds.

Password managers don't operate with those economic models though.


1Password has raised almost $1B. Surely they could put at least $1M toward a critical bounty?


Agreed!

In fact, I'd argue that, if they are positing that the reputational risk for a successful hack exceeds 10% of their notional valuation, then they should try to commit at least 10% of their market cap as insurance against that ever happening, or at least if they would gain enough information to prevent this from ever occurring. This isn't that hard to figure out.

The best thing about that insurance is that it's literally free -- they never have to pay out unless the event actually occurs.


Depends on the cost/benefit. 3x security engineers to detect/respond vulns and attacks is less expensive but gets similar coverage plus a lot of other work capacity, for instance.


What cost? There is literally zero cost.

Unless a successful attack actually occurs, in which case it's literally almost priceless in terms of their reputational damage, unless they can get their hands on it before someone else.


Although PWMs would get a reputation hit from a breach, there isn't any precedent yet for a high-trust software being breached publicly and what happens to their reputation.

But, if you ask around enough with security teams at the large cloud providers, there are definitely rumors of APT-level activity being detected/blocked at the infra level. Yet, cloud is still the most secure option out there vs. on-prem in 90% of the use cases for it so to speak. Similarly, there is just too much precedent of high trust firms being breached, and nothing really happening to them as a result (fines, loss of users, etc).

So, you allocate $1mil, possibly spend it, and either way can't use it for anything else, or you allocate a fixed cost of $600k/yr and get a lot more out of it on the security front, to include solid defense-in-depth, detections, and IR capabilities for if/when the successful PWM attack finally occurs. Personally, yes probably worth putting out a hefty bounty, but pragmatically you'd get more out of hiring the engineers.


1M allocated to this bug bounty is 1M not spent if their security is strong enough.


Yes.

Given that the payout is probabalistic and serves business goodwill, I'd argue for a more substantial reward. Possibly secured through a bond or insurance policy.


Password managers unlock hot wallets, and much more besides.


The vault vendor likely isn't exposed to that full liability. But in a business-trust basis, the goodwill is all but certainly worth > $100k.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: