I'm always curious why these bug bounty programs for billion dollar companies pay so little.
Why not make this a 10K, 25K bounty even if it's small potatoes?
That amount is nothing to Twitter but might prevent what happened in this case (continued collection of data, public release before Twitter could notify users, etc).
I've noticed this trend of painfully cheap bounties at most other tech giants too.
I mean, there is a mix here, some genuine notes about how high bounties can cause coordinated breaches to farm income but also notes about how bounties shouldn't replace pen testing (I agree, but have both and don't, as a pen tester, just argue that more money should go to pen testing, it's way too self-serving) and a weird comment that having a low bounty and then overpaying for a return of privileged data if the compromise could expose that data is a bad idea because it encourages bad actors - if the bounty is 3k and the data is worth 30 mil then yea, bad actors will emerge because you're criminally underpaying for exploits.
Honestly, a lot of the reasons I'm seeing for lowering the payout of bounties seems to revolve around "It's too expensive"
Which serves the argument that instead of rewarding people for sharing vulnerabilities we should be punishing companies for having them. Harshly. The more data points a company tracks the faster the fine should approach 100% entire company market cap. Their subsidiaries, parent company's, board, and executives should also not be immune but rather personally liable for egregious cases of not knowing, failing to, or cutting corners around documented best practices, security patching, hardware rotation etc. The entire industry needs to be reworked to put security and make All pii hazardous.
Sadly software is going the way of construction. Things Will only change when tptb get inordinately effected.
Why not make this a 10K, 25K bounty even if it's small potatoes?
That amount is nothing to Twitter but might prevent what happened in this case (continued collection of data, public release before Twitter could notify users, etc).
I've noticed this trend of painfully cheap bounties at most other tech giants too.