From another thread here, the author talking about the time involved:
>Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
I'll round his estimate up to 6-8 hours, or basically a normal work day:
$5000 / 8 = $625 an hour
$625 * 40(hour work-week) * 50(weeks) = $1,250,000 annually
Let's say it took an entire week's worth of time (comes out at $125/hour):
$5000 * 50 = $250,000
Is that range wildly out of line for what Facebook would potentially be paying for a full-time employee? The actual salary number would probably be lower, this would be including the cost taxes/insurance/perks/etc.
Even as a contractor, where the "expect to bill ~1000 hours a year" rule of thumb is/was common, puts the range at $125,000-$625,000.
Seems as though if you can reliably find organizations willing to pay these amounts and have the skill/luck/grit to grind out vulnerabilities at those companies you'll make a decent living. Or, put another way, these company's are paying bounties comparable to what the same research would have cost coming from a staff member.
Is there much reading available for that kind of thing?
But, a good starting point might be the analyses people have done on the Hacking Team leak.
Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.
Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.
If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...
https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/
https://www.wired.com/2015/07/hacking-team-leak-shows-secret...
Think about the steps required to acquire and monetize stolen photographs from Facebook accounts. Only a few of those steps involve Facebook vulnerabilities, just like only a few of the steps involving building a software company involve actually writing software.
But in order for that business to work at all, it needs a steady supply of Facebook vulnerabilities; all the work setting up a sales channel for photos, in reconnoitering accounts to figure out which ones to raid for photos, in determining what the prices for photos should be, in scouting out new customers for photos, and most of all providing OPSEC for a ridiculously risky criminal venture, all of it is at a standstill until someone (a) sells them a vulnerability and (b) shows them how to pivot that flaw to acquiring photographs.
Nobody is running that business, ready to receive Facebook CSRFs (or even serverside RCEs) so they can get another few weeks of Facebook photo-snarfing in. One way you know that is that when celebrity photos are stolen in phishing attacks, it's a major news story.
Vulnerabilities that command high prices on the black market do so because they slot into already-existing criminal enterprises. If the enterprise does not yet exist, the vulnerability is worth zero.
PS: and by the way, I'm in no way circle jerking, this is not reddit, I'm here for a serious discussion on the topic.
There is virtually no market at all for serverside bugs, because they have no half-life: as soon as they're detected, they stop working against all targets instantaneously. Contrast that with browser clientsides, which have long half-lives.
A SQL injection bug in a Facebook service would not fetch much more than $50 from anyone but Facebook itself.
- How likely it is for someone else to find it (even internally)
- How long does it take for it to be identified and exploited, the impact of that, and time for mitigation/fixing
Two to three hours discovering and writing the initial report, couple more hours (unsuccessfully) trying to escalate it using pre-approved apps.
>I think $5,000 is a joke
This is still $5,000 more than I would get reporting a similar bug to 99.999% of companies, and I am OK with the bounty. Here is good comment on the topic of bug bounty rewards: https://news.ycombinator.com/item?id=11249173
You'll get a taker. Nobody other than Facebook is bidding for these bugs, and you're promising to be the high bidder for a lot of them.
I tend to agree. They should probably add a zero to that.
Obviously $5,000 is a lot of money, but not to Facebook, and especially not in the context of fixing serious vulnerabilities on a platform that has 1.65B users.
If Facebook paid more they'd enhance their security in the process, at the cost of what amounts to chump change for them.
There really should be a bug marketplace, instead of one side having all the power and paying pennies.
If you believe otherwise, you're missing a business opportunity. Go create a "bug market" for Facebook and Google serversides. It's not illegal to buy vulnerabilities, or to sell them (so long as you're reasonably sure they're not going to be used as part of a specific criminal enterprise --- but don't worry, if you stick a $5000 price tag on a serverside bug, or even a $500 price tag, you can be pretty sure it won't be used by criminals).
However I do believe saying you discovered a pretty serious bug by putting it on a market sends a strong message. Your system is vulnerable and you are too cheap to pay up.
