undefined | Better HN

0 pointsjustsomeuser5y ago0 comments

Dropbox and co pay $10,000 for the same exploit.

0 comments

Then you should sell it to Dropbox, because $10,000 is extremely high for an XSS vulnerability.

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

tptacek5y ago

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

1 more reply

j / k navigate · click thread line to collapse

0 comments

tptacek5y ago

Then you should sell it to Dropbox, because $10,000 is extremely high for an XSS vulnerability.

justsomeuserOP5y ago

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

tptacek5y ago

I have, uh, some experience with the rates here.

1 more reply

j / k navigate · click thread line to collapse