Who is lawfully paying out more for bounties on open source projects they didn't even start?
You also seem to discount the monetary value of not becoming a criminal by selling exploits unlawfully. Do you want to be the person that reported a vulnerability to increase security in the world or to give more power to spy agencies or crime syndicates?
> Who is lawfully paying out more for bounties on open source projects they didn't even start?
That’s kind of begging the question. Google invests a non trivial amount employing Linux kernel developers. How do these bounty payouts compare in terms of the amount they pay for their own engineers and security researchers? This also isn’t a donation. This is rewards for work Google finds valuable enough that they’ve changed several products based on this work. They also benefit immensely from all the free labor other companies and volunteers out into the kernel.
I think OP raised an extremely fair critique of the amount being too small.
If it's too small, what is the right amount, and who should pay it?
I believe the world governments should create an international organization funded by per country quotas like the IMF for example to pay for bounties, but until then, the fact a private company does this sets the market price for exploits, and saying "it's too low" seems meaningless if there's no proof anyone is willing to pay more.
I'm sure if it were $1m per bounty some other HN user would say it should be more as well. That's why you define this by how much someone _actually_ pays out, because talk is cheap.
> and saying "it's too low" seems meaningless if there's no proof anyone is willing to pay more.
The black market is a good proxy for estimating the true market value of an exploit. There’s a coupon to be applied in terms of the legal costs associated with selling on the black market, but still comparable.
The other way to look at it is when are there diminishing returns. From the chart they posted, they’re very far away from that.
Finally the other way to look at it is compared with other kinds of bounties they run for OSS.
Anyway, of course they should be commended for having any bounty. They’re certainly not required by legislation. But maybe instead of having an international governmental or NGO with funding, you could require that some percentage of a SW company’s revenue is diverted to bug bounties for SW depending on how critical the SW is to the ISV’s business. That way it’s a cost directly borne by the ISV using the software to internalize the security risk into a P&L line item for the software being used (and not just OSS - all software from an ISV should be forced into bug bounties like that). And the vendor has a vested interest in confirming the VULN whereas a NGO could have all kinds of soft corruption to incentive flowing payments to friends. That being said, I’m not sure the status quo would really improve in such any alternate scheme.
Finding black market prices has been done in the past. The issue is that people often do not have a clear understanding of what a “product” actually looks like on the black market and what the value of the “coupon” is.
If you are very confident that the buyer is legit and not evil, then you’ll be fine.
Imagine though, that this information you willing sold to a shady party was used in a big hack. Say national security or an oil pipeline or something.
Do you think your defense will hold up in court? How many years will you be in court? Even if you are deemed not guilty, will your life ever be the same?
You’re gonna risk all of that because you thought you could squeeze a $200k out of your bug?
Why "black market"? Surely any intelligence agency worth their salt has a public, open, completely legal program where you can just contact them and offer what you have, no? They'd be stupid not to.
Selling to governments is not trivial, at all. You can't just post these things on eBay and hope for the best. Like all things, you need hard fought relationships to be able to even talk to anyone, let alone actually make a sale.
> You can't just post these things on eBay and hope for the best.
Of course not. You start a "security consulting company" and then apply to be a contractor. There are hundreds, if not thousands, of companies like that. And as an individual researcher, you can either join such a company, or freelance for one.
It's indeed not trivial, but I imagine that anyone with enough experience in the business would know how to pull it off.
I'm pretty sure it's "lawful" to sell exploits to intelligence agencies of your own country. It wouldn't make any sense for it not to be, considering that the same people who control those agencies also control what's legal and what isn't.
Can you link me to where I can submit bounties to a spy agency, and any material or personal anecdote about them paying more than Google for Linux kernel exploits? Because so far this all sounds like speculation on your part.
> Can you link me to where I can submit bounties to a spy agency
No. I have no idea. But it would clearly be in the interest of such institutions to have such programs, so common sense says they do. I'm sure that people who are active in this business would know more about it.
I’m not active in this business, but I know people who are. It’s not as easy as you think it is. You cannot just go to a government and say “hey, here’s my bug, give me a million dollars”. First off, your bug probably isn’t worth a million dollars, at least if you’re just converting bug bounty submissions directly. They’re looking for reliable exploits, and payouts will depend on how long they can continue to field the chain (if it gets patched, you might be on the hook for another exploit!) and whether you’re selling it exclusively to them. Payouts will typically happen on a schedule.
Unless you’re a very known quantity they’re not going to talk to you directly, anyways. You’re going to go through a broker who will take a cut. My understanding (though I don’t know much about it) is that say, the NSA, has their own internal teams and they don’t need to buy anything anyways. The other federal agencies will contract out to a handful of firms that generally have salaried employees. You can work there, but now you’re seeing very little of the “profits” that come from the sale. Maybe your exploit will get some shoddy forensics glued into it and end up being sold as “data recovery” or something for a local police department, who probably doesn’t have much money to spare anyway.
How do you define "selling exploits unlawfully?" I'm not aware of any law that says only Google is allowed to purchase information disclosing exploits in open source software.
- this isn't employment income, that's a separate category with higher taxes
- you want the payment sent to your LLC or similar, not directly to you. See above
- the requirement to file a 1099 is on the payer, not the worker
- many transactions don't require filing a 1099, most notably all payments made using a credit card. If you're an independent contractor in the US and accept credit cards, you'll get paid 5 minutes after sending an email instead of 30 days later after it goes through layers of approval
You also seem to discount the monetary value of not becoming a criminal by selling exploits unlawfully. Do you want to be the person that reported a vulnerability to increase security in the world or to give more power to spy agencies or crime syndicates?