I was going to ask. Isn't 4k from Discord pretty low for the work conducted here? I'm not familiar with bounty payouts. I'm hoping these companies aren't taking advantage of them.
4k is sadly discords highest bounty they give out (screenshot from their bugcrowd program: https://imgur.com/a/KNIdeXh) even more critical issues then this one get paid the same amount out
Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.
That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.
That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well
In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.
It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).
> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]
I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P
> Twitter paid these kids each between $1 and $20.
The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)
Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.
> The submission doesn't say they've even contacted Xitter.
This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".
I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that
You are right, but that could (probably not) make them go for the bad route because they would get way more money that way. 4k for a bug that could take control of your customer account sounds disrespectful to me.
Yeah, my read is that the teenage hacker confronted with this ridiculous payslip sees two ways forward: accept the pay cut for the CV benefit of working with bug bounties, or get a bit better at hiding your ass and make them really pay.
If I were 16, I’d be thinking I just made an obscene amount of money ($4,000!) messing with computers for fun, and got to meet people at a famous company.
That’s a free car. Free computer. Uber eats for months.
And my status with my peers as a hacker would be cemented.
I get that bounty amounts are low vs SE salary, but that’s not at all how my 16yo self would see it.
I hope I'm not assuming too much but I'm really hope the up and coming hacker is smart enough to know that his work was worth more than $4,000. That's 1-2% of an annual SE salary for someone with similar skillset.
I mean, as a hiring manager, a fresh grad with multiple bug bounties tells me a lot about their drive and skill, so I'd agree. It's a great differentiator.
I was going to ask. Isn't 4k from Discord pretty low for the work conducted here? I'm not familiar with bounty payouts. I'm hoping these companies aren't taking advantage of them.
4k is sadly discords highest bounty they give out (screenshot from their bugcrowd program: https://imgur.com/a/KNIdeXh) even more critical issues then this one get paid the same amount out
What is the reason for the low values? I would understand if it was a small company, but we are talking about Discord here.
Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.
That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.
That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well
In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.
It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).
> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]
I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P
https://en.wikipedia.org/wiki/Hacker_ethic#The_hacker_ethics item #4
> Twitter paid these kids each between $1 and $20.
The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)
Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.
> The submission doesn't say they've even contacted Xitter.
This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".
> Get off your high horse
What did I say that made you reply this way?
Not sure what risk but for me it would be morals
I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that
> Selling via grey markets is an option, but many white hats don't go that route due to risk.
I would think that such a sale makes one inherently not "white hat".
What "grey market" are you talking about? How specific can you be about it?
I know you love asking people this question, so sorry to spoil your fun, but you know just as well as I do that there isn't really a "grey market".
There absolutely is. I'm just not familiar with one that buys these vulnerabilities.
Supply and demand I guess.
Pathetic for a senior SE but pretty awesome for a 16 year old up and coming hacker.
You are right, but that could (probably not) make them go for the bad route because they would get way more money that way. 4k for a bug that could take control of your customer account sounds disrespectful to me.
Yeah, my read is that the teenage hacker confronted with this ridiculous payslip sees two ways forward: accept the pay cut for the CV benefit of working with bug bounties, or get a bit better at hiding your ass and make them really pay.
If I were 16, I’d be thinking I just made an obscene amount of money ($4,000!) messing with computers for fun, and got to meet people at a famous company.
That’s a free car. Free computer. Uber eats for months.
And my status with my peers as a hacker would be cemented.
I get that bounty amounts are low vs SE salary, but that’s not at all how my 16yo self would see it.
When I was sixteen I was already familiar with the concept of leverage. I’m not sure if I’d have had the cajones to use it though.
Playing devils advocate but 4k is probably more money than most kids that age have seen in their life
I hope I'm not assuming too much but I'm really hope the up and coming hacker is smart enough to know that his work was worth more than $4,000. That's 1-2% of an annual SE salary for someone with similar skillset.
> That's 1-2% of an annual SE salary for someone with similar skillset.
I agree $4,000 is way too low, but a $400k salary is really high, especially for security work.
> That's 1-2% of an annual SE salary for someone with similar skillset.
So commensurate for approximately 2 days of work, a little high for two hours of work, and a little low for 8 days of work.
And this will help them land that six figure job
I mean, as a hiring manager, a fresh grad with multiple bug bounties tells me a lot about their drive and skill, so I'd agree. It's a great differentiator.
market value is the same regardless, so this was pathetic
What do you expect? a16z-funded and they love to talk about how much they've raised, thought-leader style co-founders, etc.