Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Rich Kulawiec <rsk@gsp.org> Tue, 25 August 2020 21:35 UTC
Return-Path: <rsk@gsp.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F2C3A0C1D for <ietf@ietfa.amsl.com>; Tue, 25 Aug 2020 14:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[FAKE_REPLY_C=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id df3xf16Sq3NM for <ietf@ietfa.amsl.com>; Tue, 25 Aug 2020 14:35:20 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE4623A0C17 for <ietf@ietf.org>; Tue, 25 Aug 2020 14:35:20 -0700 (PDT)
Received: from gsp.org (localhost [127.0.0.1]) by taos.firemountain.net (8.15.1/8.14.9) with SMTP id 07PLZWBM023520 for <ietf@ietf.org>; Tue, 25 Aug 2020 17:35:33 -0400 (EDT)
Date: Tue, 25 Aug 2020 17:35:18 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: ietf@ietf.org
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
Message-ID: <20200825213518.GA16584@gsp.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2C8B2840-D0D1-450A-94D2-1408D4014FC7@cable.comcast.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/AJJVb_HAJNBdDEZ8ldrrBb6JVXA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 21:35:22 -0000
On Thu, Aug 06, 2020 at 07:28:07PM +0000, Livingood, Jason wrote: > I have heard that some security researchers may not bother reporting > absent a small bounty. This is true. One of the many problems with this approach is that the bounties are, indeed, small. Serious bug research may take months of painstaking work; offering someone $500 for that isn't going to really motivate them to share their result when they may be able to go elsewhere and get $50K for it. This is particularly glaring in the case of companies which are reporting multi-billion dollar profits and paying some employees multi-million dollar salaries, yet for reason can't seem to find more than pocket change for bounties. While it's true that some reported bugs are the result of minimal work and the use of an automated tool, some of them require months of diligent, careful work. A bounty for such things should reflect the current market value of that labor plus a bonus because all of that work was done on a speculative basis plus a bonus because that work fixes a problem that got by everyone else plus a bonus because it will save the company the much larger expense of dealing with the fallout if it's exploited. Bug bounties probably need to start at five to six figures. Another problem is that companies often refuse to pay. This is understandable if it's a non-bug or if it's something found by an automated tool that they already ran 63 times and know about, but it happens often enough with serious/detailed/complete bug reports that it has created an atmosphere of distrust. So anyone who's got a viable bug now has a choice: offer it to a company which may well use its legal and bureaucratic resources to weasel out of paying even a minimal amount or offer it on the open market to buyers who also may weasel out of paying but *might* cough up a lot more for it. If those offering bug bounties want to be taken seriously in the marketplace, then they need to start adding more zeroes to the right side of their bounties. ---rsk
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … John Levine
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Jay Daley
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Bron Gondwana
- Re: Bounty: Consultation on DRAFT Infrastructure … Rich Kulawiec