> triagers have a whole pile of crap to wade through, to get to the useful material.
This is very true.
> The issues with bug bounties as a whole is the market is skewed. For any work done by a bug bountier, there is exactly one legitimate buyer who gets to make a significant judgement call on the value of the work done.
The problem, in my experience, is that they never analyze it by its potential. Why would they, they have the details now and usually your legal details so if it leaks they'll have you busted in a heartbeat and sued for contract violation.
> Furthermore, it really is hard to place an accurate monetary value on a bug that's responsibly reported
I submit that from my experience threat modelling this is actual dead simple but nobody feels the need to do it.
> What precisely is the monetary loss from ...
As you point out, the issue is that there's a single buyer. You really need to open up the bidding. If you trusted a Russian mob to pay residuals (and they probably would) you might be able to sell this for what ended up being $50M+, and the criminals could clear billions if done right. Then the next time something like this came up you'd have more bargaining power. If the company was still there...
Thomas is right that there isn't specifically a market like flippa for exploits but there are dark markets and many of the vendors would be open to a chat. I'm not rooting for this, I'm just not blind and it will happen. (Well, if it's Twitter I'm rooting a little...)
IMHO it’s only a matter of time until someone blows up a unicorn just for the thrill of it. That’s not something I’d support, but I won’t feel bad for companies that don’t pay adequate bug bounties.
As of right now, what is the lasting damage done to twitter by that attack? My argument is that it honestly wasn't that much, and thus bugs capable of that amount of damage aren't valued that much either.
This is very true.
> The issues with bug bounties as a whole is the market is skewed. For any work done by a bug bountier, there is exactly one legitimate buyer who gets to make a significant judgement call on the value of the work done.
The problem, in my experience, is that they never analyze it by its potential. Why would they, they have the details now and usually your legal details so if it leaks they'll have you busted in a heartbeat and sued for contract violation.
> Furthermore, it really is hard to place an accurate monetary value on a bug that's responsibly reported
I submit that from my experience threat modelling this is actual dead simple but nobody feels the need to do it.
> What precisely is the monetary loss from ...
As you point out, the issue is that there's a single buyer. You really need to open up the bidding. If you trusted a Russian mob to pay residuals (and they probably would) you might be able to sell this for what ended up being $50M+, and the criminals could clear billions if done right. Then the next time something like this came up you'd have more bargaining power. If the company was still there...
Thomas is right that there isn't specifically a market like flippa for exploits but there are dark markets and many of the vendors would be open to a chat. I'm not rooting for this, I'm just not blind and it will happen. (Well, if it's Twitter I'm rooting a little...)