Bounties exist for security bugs to make it more profitable to report the bug than it is to exploit it, or to sell knowledge of it to those who would. A buy about opening 70 copies of Visual Studio is unlikely to be very profitable to exploit.
Please tell me, what do I need to do to sell to nation states? I've found lots of remotely-exploitable (as in root or direct financial gain) in open source and commercial software. Vendors have poor responses[1] so I've stopped disclosing but if I could legally convert them into cash I'd be very interested in knowing how. For now I'm just keeping them because I might decide to open an auditing company some day and they'd be good marketing.
1: Once a company got angry and blamed me for delaying their shipping cycle. Another time they laughed when I suggested their memory corruption might be leveraged for escalation. And another vendor told me "buffer overflows would only happen maybe if you had a very fast network IO".
I wonder what pricing is like for industry-specific systems. Places where a operational leak can easily cost $$$$$ a month and go rather undetected and certainly not prosecuted.
I suppose that's only valuable to criminals. Sorta like saying knowing someone's bank info can let you steal money - no one legit will pay for it.
And what if instead of $10 and $9, it's $75,000 and $1,000? And you live in an Eastern European country, where the former will feed your family for years.
Do we have the numbers on what percentage of disclosed bugs are from Eastern Europe/"poor" countries? My guess is that gray-hat researchers take into consideration their likelihood of being caught when considering the bounty.
It would be interesting to know the percentage of people from less-developed countries who choose to claim bounties rather than exploit the bug vs. that of people in more-developed countries. I think you would probably find that fewer bug bounties are claimed by researchers in countries with less computer crime enforcement. I think you would also find that raising the payout for bug bounties would affect that likelihood.
You're right. I shouldn't have said "more profitable"- obviously you're going to get more money immediately by exploiting a bug that gives you direct access to everyone's bank account. What I should have said was "more attractive".
If I have to choose between 5 year's wages with a 90% chance of going to jail for a very long time vs. a month's wages as a bounty and a 0% chance of going to jail, I'm going to pick the bounty every time. I think a lot of people would agree with me.
As discussed further down in this thread, raising the value of the payout or lowering the possibility of being caught makes the other side more attractive.
(of course, I would choose to disclose every time, because I'm just a good person.)
I don't think the bounty is all that significant in deterring any would-be exploiter. Instead, it incentivizes the honest person who enjoys the puzzle of finding the exploit but would never actually try to profit from it illegally. It might allow some of those "hobbyists" to justify a little more time at the task, or attract them to one project over another.
The risk of getting caught isn't constant, it's highly dependant on the circumstances and the perpetrator.
Also, besides the crime itself, spending a large sum of ill gotten money without getting caught is a lot easier if you already move in an environment geared for that - few things you can do in a middle class lifestyle that won't arouse suspicion.
Realistically companies including Microsoft will pay as little as they can to anybody and if they get such nicely detailed bug reports for free why would they ever pay.
Bug bounties also pay for the work an individual puts in on x-random company's product. The time taken to figure out and fully demo a POC isn't inconsequential.
Just general observations from things like the rate of pay differences between the army and blackwater.
I'm imagining that if you phoned up the CIA/NSA to sell them a vulnerability that they would not pay you and instead would send some lawyers to seize the info under a flimsy pretext.
For the most part the gov't acts like working for the gov't is some noble thing worthy of losing pay over, as if it was some special honor to die being paid $40K per year instead of $400K per year.
That said if you can contract something out to the gov't through official channels they'll pay the stupidest rates imaginable. So I guess if there was an FBO contract for vulnerabilities you'd probably do quite well.
