undefined | Better HN

0 pointsjustsomeuser5y ago0 comments

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

0 comments

tptacek5y ago

Yes, that is the premise behind bug bounties. If you're a vulnerability researcher with a track record, you will probably make better money and certainly more consistent money as a pentester. Many pentesters just do both.

I have, uh, some experience with the rates here.

KajMagnus5y ago

Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead

tptacek5y ago

XSS? Outside of a social network, where it can propagate itself? For a non-FAANG-scale company? Probably between $250 and $500, if it's a clean and effective XSS. Less if you have to interact with an obscure feature of the application.

1 more reply

j / k navigate · click thread line to collapse

0 pointsjustsomeuser5y ago0 comments

I do not have the market rates for vulnerabilities, but I do know some pen testing companies charge $10,000 for a few days of work that may not return any concrete bugs.

Compared with hiring a pen testing team, offering high bounties seems like a bargain as you get actual exploits that would impact the company.

0 comments

tptacek5y ago

I have, uh, some experience with the rates here.

KajMagnus5y ago

Can I ask, if you were the owner of the popular note taking app, what bounty would you want to have paid for that vulnerability? I.e.:

"XSS bug in a popular note taking app ... attacker to download all the users notes just by having them visit a URL"

So as to not feel worried that future vulnerabilities would get sold on the black market instead

tptacek5y ago

1 more reply

j / k navigate · click thread line to collapse