>> It's upsetting to see a company worth $10+ billion offering $5k - $15k when it comes to the protection of their user's information. Just earlier this month Facebook rewarded a paltry $15k for a bug that could unlock any user's account. That sort of information in the wrong hands or resulting in a massive PII leak will cause a few orders of magnitude higher in damage to their market cap and goodwill.
Regardless of what you think about bug bounty valuation, it's not unfair. This has been rehashed so, so many times and rebuked by people like tptacek, thegrugq and myself that I'm just going to start pasting this comment whenever this sentiment comes up on HN:
This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
Do you use the same (de)value justification when billing clients for your security services? Or, maybe, it's precisely because you're all security professionals who make a living by identifying security flaws and you'd prefer not to introduce competition from the open market. Unattractive bug bounties ensure you can justify your services.
Just like Uber is to the taxi industry, bug bounties are a disruption to your own business model.
I can understand why you'd believe this, but I am actually a fan of bug bounty programs. I have both participated in and managed bug bounty programs before and I think they are absolutely a win for our industry. Frankly, they occupy a different market positioning than my own work.
Of course, you're free to believe or disbelieve that, but each of my points stand on their own weight regardless of my own occupation.
Regardless of what you think about bug bounty valuation, it's not unfair. This has been rehashed so, so many times and rebuked by people like tptacek, thegrugq and myself that I'm just going to start pasting this comment whenever this sentiment comes up on HN:
https://news.ycombinator.com/item?id=11249173
...
This has been discussed many, many times on HN before. This bug would not cause Facebook much damage; in fact, Facebook and Google tend to overpay rewards for bugs for the purposes of goodwill and recruiting.
Let's examine the facts:
1. A Facebook vulnerability is dangerous to Facebook. A WordPress vulnerability is dangerous to a quarter of the internet. Facebook is not a high value target, relatively speaking.
2. A Facebook vulnerability will be patched once it is widely used. Facebook's security team is one of the strongest and most sophisticated of any company, and their processes would quickly catch this once it was used. The total impact of the bug would be negligible. You'd lose the ability to compromise accounts as soon as you tried to do it in any meaningful or lucrative way.
3. A vulnerability in Facebook might last a week before being patched, but a vulnerability in PHP will persist on the internet for years. No matter how many individual sites patch their servers, you'll still be able to pop a lonely server with social security numbers chugging along in a closet somewhere.
There really isn't much more to say about this. People claim bounties awarded by Facebook/Google/et al are undervalued every single time a bug bounty hits the front page of HN. Every single time, someone who is in the security industry patiently explains why it's not that valuable.
If someone tried to go to a blackhat group or go to the "black-market" (a shadowy, lucrative place that never seems to be very well-defined in these conversations), he would not even be able to find a seller, let alone one who would pay a lot.
What do you imagine someone would pay for this on the black-market? They'd need to profit from it. How much profit is worth their time?
Say they buy it for $20,000. Do you really think someone will derive $20,000 of profit from this before it's caught and patched by Facebook?
The only vulnerability worth $15,000 or more is one directly impacting a language, a widely used development library/framework or a widely used piece of software.
For further reading:
https://news.ycombinator.com/item?id=7106953
https://news.ycombinator.com/item?id=9302188
https://news.ycombinator.com/item?id=9040855
https://news.ycombinator.com/item?id=9041017
https://news.ycombinator.com/item?id=8563884