> Bounty programs are very much not trying to compete with crime.
Nor did my post posit this.
Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.
Should this be true only for vulns, or all bugs? If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
Is there any evidence that OP feels that this payout was unfair?
> If I as a third party find a bug that is causing Google to undercharge on ads by a fraction, should Google be obligated to pay me a mountain of cash?
No, but Google should understand that if they give a token payment, people will be less likely to help in future situations like this. And might be inclined to just instead tell ad buyers about the loophole quietly.
How do you propose to calculate "the downside saved by eliminating the bug" - ideally in general, but I'd be curious to see if you could do it even for the specific bug discussed in this article.
Prominent youtuber doxxed and killed; terrible press extended for an extended period by litigation. 1 in 5000 but very high cost.
Large scale data leak and need for data leak disclosure. 1 in 3, moderate cost.
Bug report saving engineering time by giving clear report of issue instead of having to dig through telemetry and figure out misuse and then identify what is going on, extents of past damage, etc. 3 in 4.
You think that being able to get someone's email address (most likely a business email but let's pretend it's a personal email) has a 1 in 5,000 chance of being turned into enough personal information to track down AND that someone would use it to kill someone?
Millions of usernames and emails are leaked every month; if this was the case you'd be seeing these murders in the news every week.
> Millions of usernames and emails are leaked every month; if this was the case you'd be seeing these murders in the news every week.
Yes, because all possible scenarios kill the same fraction of people-- whether we're talking about getting a dump of a million email addresses or giving some nutjob a chance to unmask people he doesn't like online.
> Bounty programs are very much not trying to compete with crime.
Nor did my post posit this.
Bounty programs should pay a substantial fraction of the downside saved by eliminating the bug, because A) this gives an appropriate incentive for effort and motivate the economically correct amount of outside research, and B) this will feel fair and make people more likely to do what you consider the right thing, which is less likely if people feel mistreated.