How these companies don't hire kids like Daniel for pennies on the dollar and have him attack their stacks on a loop baffles me. Pay the kid $50k/yr (part time, he still needs to go to school) to constantly probe your crappy stacks. Within a year or two you'll have the most goddamn secure company on the internet - and no public vulns to embarrass you.
That's a bit simplistic.
If you sign a contract with a "hacker", then you are expecting results. Otherwise how do you decide to renew the contract next year? How do you decide to raise it next year? What if, during this contract, a vulnerability that this individual didn't found is exploited? You get rid of them?
So you're putting pressure on a person who is a researcher, not a producer. Which is wrong.
And also there's the scale. Sure, here you have one guy who exploited a vulnerability. But how long it took them to get there? There's probably dozens of vulnerabilities yet to be exploited, requiring skills that differ so much from the ones used by this person that they won't find them. Even if you pay them for a full-time position.
Whereas, if you set up a bug bounty program, you are basically crowdsourcing your vulnerabilities: not only you probably have thousands of people actively trying to exploit vulnerabilities in your system, but also, you only give money to the ones that do manage to exploit one. You're only paying on result.
Obviously, if the reward is not big enough, they could be tempted to sell them to someone else or use them themselves. But the risk is here no matter how you decide to handle this topic.
Just going to say here that people routinely engage pentest firms, several times annually, for roughly that sum of money, hoping but not expecting game-over vulnerabilities (and, from bitter experience as a buyer rather than a seller of those services over the last 5 years --- "no game-over vulnerabilities" is a very common outcome!)
I completely agree!
But hiring a pentest firm is completely different than giving $50k a year to a guy, no questions asked.
The pentest firm is generally providing the whole package, from doing the actual pentest, with tools and workers of various experience and skill sets, giving you extended reports on what they did and the outcome, to providing guidance on how to fix their findings, how to make the necessary cultural changes to harden your apps, and also how to communicate that you have passed their audit.
You won't have all of that if you give free roam to a guy to _do what they do_.
This idea is more similar to patronage, which, imho, is a great idea, no matter the domain (arts or tech), but I doubt that there any company here that is willing to go this way.
Even the company that supposedly do actual patronage today are going to look at their ROI and stop as soon as they don't see the figures they're expecting.
Don't get me wrong, I'm not saying it's dumb to think about retaining a talented teenager on a contract.
> from bitter experience as a buyer rather than a seller of those services over the last 5 years --- "no game-over vulnerabilities" is a very common outcome!
Why bitter? Did they miss some?
Otherwise, isn't that the goal to begin with? Shouldn't you be proud instead?
Every pentest misses stuff. That's kind of the point I'm making. But yeah: as someone with a software security background, when you contract a test, you want them to find stuff!
They've already proved themselves as competent. $50k a year to a billion dollar company is nothing. Even if they find 0 vulnerabilities a year it's still worth it to them
I directionally agree with you but we could go another 20 comments deep on exactly what the purpose of an external pentest or red-team exercise is and how it might not match up perfectly with what an amateur web hacker is currently doing. But like: yeah, they could get into that business, at least until AI eats it.
So now they found a vulnerability, the company should pay them $50k a year until they retire because they proved themselves competent?
Yes?
There are a lot of ways to monetize a security researcher. Publishing research, even "we failed to perform a full exploit", is a huge recruitment tool and brand awareness tool.
It's not quite that simple. I don't think most bug bounty participants want a full-time job. But even more-so in my experience they are not security generalists. You can hire one person who is good at finding obscure XSS vulns, another that's good at exploiting cloud privilege escalation in IAM role definitions, another that's good at shell or archive exploits. If you look at profiles on H1 you'll see most good hackers specialize in specific types of findings.
I doubt it.
Just because he found one vulnerability at one vendor used by Discord doesn't mean he'll find all the vulnerabilities that exist at Discord or indeed any of them.
TFA:
>Discord is one of my favorite places to hunt for vulnerabilities since I'm very familiar with their API and platform. I'm at the top of their bug bounty leaderboard having reported nearly 100 vulnerabilities over the last few years. After you've gone through every feature at least 10 times, it gets boring.
That doesn't specify how many bugs there existed in the Discord codebase throughout the time where this person was active. Only once you know that, can you say whether they found a significant proportion relative to the effort they've spent and would spend as a part-time employee. That other people still find things also suggests that the statement above ("just hire him and you're secure") might have been a bit simplistic
Having been adjacent to this for years, it's because it's a cost center and not attached to the bonus of any product or program manager. Every now and then we'll get an advocate for security/integrity at a company but the effort lives and leaves with them.
Microsoft, after getting beat up over this for decades, is still horrible at it. In my area they're have been enforced regulations for years but they're written by the industry itself and infected with compliance managers and thus result in wastes of effort that makes compliance managers that came over from HR and legal happy with their eternal job security and minimal hard work.
Until some heavy handed top down regulation, written by people who understand the nature of ongoing security and software and embedded lifecycles, it's going to stay like this. Most existing supply chain regulation I've seen ends up saying "vet your vendors" and gives minimal practical guidance of how to actually do that. Likelihood of some really good law coming out of the current US administration and business climate is left as a comedy for the reader.
I feel like the "I'm a 16 year old high school senior" thing is some kind of social engineering- his knowledge seems a bit too broad.
But who knows.
There are plenty of competent 16 year olds.
I just read a story about a 13-year-old awarded a Ph. D at a prestigious university.
Human intelligence/aptitude has such extreme distributions it's almost unthinkable.
Who knows indeed.
It's easier than ever to pretend you know more than you do on the internet these days..
Not saying that's the case here, but that's the world we live in now.
I wonder if this analogy could work: if some random visitor pointed out your storage room's key is nearly broken and anybody could come in now and steal your store's stock. You'd be thankful, but would you hire them to come from time to time to check if they have any other insight ? Probably not ?
If you really saw a recurring security risk you'd have many other better use of your money.
Apple hired George Hotz (geohot) after he wrote the old 2010s iOS jailbreaks.
It wouldn't surprise me if he's in this thread - curious what his thoughts would be.
While I would love that for the kid I dont think these companies care about security at all.
I think that's unfair to say about a company that pays bug bounties at all.
A lot of other companies would have ignored the email for weeks or threatened legal action.
Its cheaper to pay bug bounties than to hire a security expert or legal costs
just wanted to disagree with anyone who thinks someone like this needs to go to school
no, he needs to make his own agency
[dead]