Increasing Google and Alphabet VRP rewards
bughunters.google.comI am genuinely surprised that these have been and continue to be so low. Do not know why but I was under the impression, that we had already gotten into the 1 Million USD range. While I do not know how much an interested party would realistically pay for an exploit that enables the complete takeover or even just limited access to a Gmail/Google account, I am pretty sure it has to be an order (perhaps even orders) of magnitude more than 75k.
Looked into it and am equally surprised to find that others, like Microsoft [0] also have such low bounties for these types of attacks.
While providing such an exploit to the affected company has value beyond the bounty (potential job offers, media exposure, credibility, ethical considerations, etc.), weighing that up against life-changing money really makes it hard to fault those who take the more lucrative route of selling these to the highest bidder, whoever that may be.
Seriously, Alphabet and Co. can afford more, especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.
You might find these slides on the 0day market interesting
https://github.com/mdowd79/presentations/blob/main/bluehat20...
Unfortunately the talk wasn’t recorded but he did do a follow up interview on a podcast called Security, Cryptography, Whatever
That seems to be saying that currently there is no market for website vulnerabilities, but a market for them might develop in the future as memory corruption vulnerabilities disappear due to mitigations.
This Google/Alphabet VRP change I think is pretty much just about website vulnerabilities.
Disclosure: I work at Google but not on the VRP.
Skip to the end if you want to see the numbers.
There are two reasons for this. First, you're not competing with the gray market because it's quite simply a folly. If a government badly wants a 0-day, they will essentially pay whatever it takes. If you offer a million, they will offer two. You offer five, they offer ten. If you write bug-free software, they will send in Jia Tan. Their alternative to using a 0-day might be trying to hit someone with a million-dollar bomb launched from a $100M fighter jet.
But the second reason, quite prosaically, is that individual bugs aren't worth that much to a business. You can't build your security program on the expectation that you could reliably squash all bugs. You also invest in being able to detect and contain breaches - and if you do that, even the best exploit is a crapshoot for the attackers. Maybe they get in, lose access five minutes later, and are out a million bucks.
In other words, the point of paying for bugs is to raise the bar, and to get some independent validation of your security practices - not to make attacks impossible.
Finally, there's a retention element to it. Paradoxically, you might be worse off if your bounty program instantly turns your best bug hunters into millionaires. If they no longer need to make rent, they might decide that they like farming more.
Organizations in the crypto space more frequently value their bug bounty programs more accurately and pay in very clear terms, almost instantly
Some take a bureaucratic approach but they are labeled as such on the bug bounty marketplaces
Web 2.0 organizations aren’t just competing with the gray market, they’re competing with Web 3.0’s licit market, while 3.0 is competing with immediate weaponization which is far easier to monetize
I don't think it's about accuracy. It's just a different world. A bug in a smart contract exposes them to unavoidable, catastrophic losses. An XSS on google.com... doesn't.
those worlds compete for mindshare
people don't consistently enter the same market for less compensation when given the choice
A thought about when these big bugs occur, and bounties are awarded, they can't look too great.
I wonder if it's because Google was hit with more issues because they started doing cloud apps a bit before microsoft, amazon, etc.
The example that comes to mind is Gmail and it's rapid growth and issues it learned to sort out while it was becoming workspace.
No cloud is perfect, however I have heard different clouds have different maturity levels in certain areas of their security.
Something to always think about when using the cloud, which is someone else's computer.
If something goes wrong at the Cloud provider you'd have to deal with securing it some how moving forward anyways, so why not when selecting a cloud and trying to be hybrid cloud, or cloud agnostic.
On the other hand, if you boost these too much, you're now incentivizing your full time security researchers to have white box access to leave and make more money doing white hat black box vuln checking.
And from there it follows that maybe the market rate isn't really that high, zerodium pays, maybe 2x what Google does for similar vulnerabilities, which is more but not a ton more.
Maybe these bounties are intentionally set to be roughly comparable to annual salaries. A very high bounty might encourage developers to plant backdoors instead, a la cobra effect:
Current or former employment is almost always a disqualifier for a bounty payout.
Yea but I didn’t find the bug. My buddy Jim did.
You're making a bit of an assumption that the black market won't simply adjust to incentivize darkening the hat.
Absolutely, that would most likely happen, they'd compete like any other market. However, a more appropriate financial compensation would still come with all the other benefits that I mentioned. Reporting to the affected company tends to come with positive public exposure, potential long-term job offers from that company or others, and receiving taxable income with few complications. Even selling exploits to intelligence agencies or nation-states likely involves more hurdles compared to dealing with companies like Alphabet or Microsoft.
Receiving 75k from Google versus a few hundred thousand from a less reputable source is a different scenario compared to getting a few hundred thousand from Google versus slightly more from those same sources. In the former, I'd have a hard time not going for the large yet morally dubious payday. With the latter, I feel like most, myself included, would stick with Google
Reporting a security issue to a company also comes with a large risk of being arrested and sentenced. Maybe not Google in particular, but it doesn't happen infrequently that someone reports a security issue to a company and is then convicted of hacking. Those people definitely wish they'd sold their exploit to hackers.
On bro plus that side doesn’t pay taxes / it’s free cash anyway
Or at least that's what Al Capone thought.
On fratello officer I filed my taxes I got the receipts right here lol
So morality aside, I imagine dealing with large amounts of money that you can't explain the origin of isn't simple.
You can't just do a bank transfer, so you're probably getting paid on crypto. Converting the crypto to fiat will probably be a pain. All the reputable exchanges have KYC requirements. You'd have to explain how you came to acquire so much crypto.
I guess you could get paid in a suitcase of cash, that has it's own headaches.
Personally, I'm just picturing so many headaches that even if I wasn't morally against selling it to the highest bidder, it doesn't feel worth it. Selling to some other "proper" corporate entity or a government agency seems reasonable, but are they offering more than Google?
There are legitimate companies that buy exploits, not just ones that are on the dark web and pay in bitcoin.
Just with a quick check I found Zerodium, which claims to offer bounties up to $2.5 million. They say their clients are "government institutions (mainly from Europe and North America) in need of advanced zero-day exploits and cybersecurity capabilities."
At the same time, it's likely that Google's (along with most companies) VRP are not actually trying to compete on price with government exploit purchasers. If such an institution is trying to get into someone's Gmail account, they will probably find a way anyhow. And if they do need a certain exploit to do it, they have infinite funds to just keep upping the price they offer.
It's pretty much "Mossad/Not Mossad" threat modeling: https://philsrandomblathering.quora.com/The-Mossad-Not-Mossa...
No one paying you $2.5 million for exclusive access to an exploit is planning to do anything even remotely "legitimate".
On a good day, you might be selling to the CIA and helping catch bin Laden. On a bad day, you're selling to the Saudis and getting a journalist killed. I bet that "mainly" is doing a lot of heavy lifting in that sentence - plus, "Europe" includes Albania, Belarus, portions of Turkey, and more.
On a worse day, you're selling to Israel and getting a 6 year old girl's jaw blown off
I meant legitimate in the sense that you won't go to jail, and you'll get an I9 for your taxes. I did not mean it as ethical, and I definitely agree with what you're saying there.
"Legitimate" in the limited sense that you can invoice them for cybersecurity consulting, they'll pay you in fiat, and you can report this income to the tax office.
There is a thriving “grey” market for vulnerabilities, where brokers buy vulns and sell them on to e.g. intelligence agencies. This is well established and unlikely to cause much legal difficulty for the bug finder.
I agree. As a Nest user, I am astonished at how low the bounty is.
This is why a hacker should consult an agent that has more experience in negotiating with these companies.
You don’t negotiate bug bounties really.
That's not how it works.
This is how it _should_ work.
> especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.
This assumption seems misplaced. Can you give an example of a security exploit seriously impacting the finances of a publicly traded company?
This is also on the front page https://news.ycombinator.com/item?id=40944505 and I really doubt AT&T stock will suffer significantly. Maybe they'll miss Q3 targets, but they'll be fine. All the execs will get their bonuses.
Google has 12B shares outstanding. A 1 cent hit to share price is already far more than $100K.
Google has thousands of things going for and against it at any point in time. Unless an event is bad enough to wipe out tens of billions at once, there’s no way to quantify. And what can’t be measured can’t be a target.
Solarwinds
How could I forget that one. Solarwinds is an even better example than the ones I remembered (Equifax and Yahoo).
I have a few examples I remembered where there was both short term impact on the stock directly after the publication of a breach and the stock remaied at a lower point across an extended period of time. I have to admit though that it is nearly impossible to attribute how much of this drop in value and the stock staying at that lower level can be directly attributed to the breach compared to other reasons, such as general performance, etc. However, on the other hand, this also does not reflect the likely high spending a company tends to do in the aftermath of such a breach on better security, PR, settling lawsuits, etc. which most certainly exceed 75k, a rounding error for business of any significant size.
Anyways, here a two examples of the top of my head:
Of course, the big one, Equifax, which had a significant drop in the week after the announcement. It took roughly two-years for the stock to trade at pre-breach levels [0], likely in part due to their less than stellar handling of the aftermath, though I'd still consider that directly linked to the breach.
More to the point, there was Yahoo, which I wanted to mention because its impact was more clearly measurable. What was weird about that one is that their case centered around a belated (by two years) announcement of a breach they faced between 2013 and 2014. That did impact their stock, but more importantly, it's the reason for a 350 million USD reduction in the acquisition price Verizon had to pay for Yahoo. Verizon agreed to cover half the cost of non-SEC government investigations and third-party lawsuits (which I feel also would fall under hitting their "bottom line"), while Yahoo covered the other half and any liability from shareholder lawsuits or SEC investigations. That 350 million USD plus fines to me is the clearest number one can put on a breach and I feel it shows that, whatever one thinks is fair compensation for reporting 0-days, 75k is far removed from that.
So yeah, there have been cases where a security exploit seriously impacted the finances of a publicly traded company and keep in mind, I only stuck with actual reductions in their stock value/acquisition price.
[0] https://www.marketwatch.com/investing/stock/efx
[1] https://www.geekwire.com/2017/verizon-pays-350m-less-yahoo-f...
151515 is such an elitist number.. 3 * 13 * 37 * 3 * 5 * 7
So if you find several catastrophic vulnerabilities each year, then you can make as much as one of the many people whose jobs it was not to create those vulnerabilities in the first place? :)
Yes, but you only have to succeed once. They have to succeed every time, which is a much much harder proposition.
Question for the hackers: how much effort goes into solving these bounties, and are they monetarily worth the time?
I'm wondering if bounty programs effectively form a low-paid gig economy for programmers.
It's not worth it. Payout by default is at least 90+ days (or 3 months) after disclosure (this is standard operating procedure to give company time to fix vulnerability). Then some companies have some bullshit internal company procedure for payout ("only at the end of the quarter"). Some companies dangle the carrot of "higher payouts" but after an internal review by some fresh out of college, security bootcamp asshole. The committee downgrades it to a less severe vulnerability (ie, fuck you).
The number of clueless individuals running these bug bounty programs is not worth it. The only reason most people do it is for the "fame" within the security community; or that occasional researcher that was just bored.
Even worse, some companies (like South Korean companies) will not even pay out if you are not a citizen of the country. Makes no sense to me.
Agreed about boredom. There are times I've discovered issues incidentally, checked if the company had a bug bounty program. If they don't, I may chuck a vague email to security@, if they do I'll write something quick and take whatever they send. I've seen $3k once from this, but usually it's not enough to justify the time it takes to do the write up. There are far too many: out of scope, we already know, or other non-payment results.
They pay much less than selling the equivalent vulnerabilities to unnamed entities (there are brokers for it).
But, and this is the important part, in this case there is zero moral quandary, whereas when selling an 0day there is a significant moral question depending on who you’re selling to.
Some people do make it their full time gig, but it’s fairly unpredictable is the issue; much like “gig work,” you’re not guaranteed to find a vuln, and the timing between findings is going to be inconsistent at best.
It's also easier than "gray market" sales. Bug bounties pay for a wider variety of bugs, including plenty of stuff that's of no interest to your perhaps-Saudi buyers; and they don't require you to develop a weaponized exploit - "hey, I noticed this crashes" is often enough.
Plus, less risk of waking up and finding out you've been sanctioned by OFAC or something like that.
curious why Saudi? Are they known to be prolific buyers of vulnerabilities?
They're rich, don't hold civil liberties in high esteem, and don't have a lot of in-house expertise. So, yeah - along with some neighboring states, they're a buyer for tools they use to target journalists, dissidents, etc.
China and Russia are on the same boat, but they are far more capable with in-house tech.
OK i see, re-reading this with your top level post is "not all vulnerabilities are the type that could be bought by (insert state actor)", which makes sense (for some reason I thought you meant that they were buying the type of bugs that would end up getting reported to a BBP, but I just misread the original comment).
And yes the Saudis definitely bought software from NSO Group but it's also been used by plenty of other governments, including half the EU...
Also, just to be clear - the US gov buys tons of zerodays.
NSA banking EternalBlue was the reason for Wannacry ransomware proliferation, which killed people due to downtime of hospital systems.
perhaps-Saudi-prob-Israel.
(Israel is known to be prolific; many brokers and the whole industry on all sides has a lot of people and entities from Israel. Saudi is publically obv active due to stories like MSB pwning Bezos over Whatsapp)
Yes, they used a WhatsApp 0day in the murder of Khashoggi.
Finding a vuln and selling to Google is also presumably something you can put on your resume. Like a portfolio piece.
True. It’s not likely to be a huge difference-maker, but it certainly belongs on a resume more than “sold 0day to foreign governments” heh
Fair enough, but do people claim them after finding them by accident? Or do people see a bounty and then put in up to X hours of effort (before either succeeding or giving up)? Does that model end up with a reasonable hourly rate?
I'm trying to figure out the labor-side economics of this.
Generally the supply side is getting a massive discount on these vulnerabilities compared to their potential costs. Although perhaps the discount applies is appropriate considering how few vulnerabilities do result in observable expense.
The economics of bug bounties from a “bug hunters” perspective are quite interesting! I’m going to give the short version.
There are public (such as the one being discussed here) and private programs.
To gain access to private programs you have to be invited to participate - you get an invite usually based on reputation for providing good reports on public programs.
Platforms like H1 and BugCrowd act as intermediaries for this, with reputation scores, etc.
It should also be noted here that if you rediscover a bug someone else reported, you don’t usually get paid.
With public BBP/VRP, you are competing against everyone in the space against a relatively limited subset of targets. The way to “win” is to either “go deep” against high payout targets, expending a lot of effort in the hopes of avoiding a duplicate finding, or to invest heavily in automation, or some combination of the above.
With private programs you are competing against many less people and have a higher probability of payout for time/effort expended.
The guys who tend to make a shitload of money off BBP/VRP either are focused solely on a handful of high payout targets, or have invested heavily in automation to grind public programs, gain invites to private ones, and repeat.
A lot of the better offerings in the “continuous vuln scanning” or “attack surface monitoring” market are from people who have been “full time” bounty hunters for a while, built out significant automation platforms, and pivoted to offering it as SaaS products to enterprise for detection of issues.
There’s a lot more to it, but it’s probably worth a blog post at some point tbh.
In my own experience, as someone who has participated in bug bounties and vuln disclosure programmes in my free time for about a decade now, I usually land a couple of nice payouts per year and a lot of issues reported without payment.
Yes. I've claimed a few Bug Bounties after accidentally discovering them. For example https://shkspr.mobi/blog/2021/12/responsible-disclosure-chro...
It is uncertain work. As well as finding the exploit, you've got to write it up in such a way that it is convincing to the people reading it. Then you have to argue with them if they don't accept it. You have to pay currency conversion fees and, depending on where you live, tax on income.
That's a lot of work. But it is significantly easier (I imagine) than selling to the mafia. The bad guys don't have a publicly available schedule of payments. And if they don't pay, you can't complain publicly.
Both. And the issue about trying to relate it to an hourly rate is the immense unpredictability. Some months (and some companies) may have a lot of vulns in a new product and it’s open season for a bit, but then it slows down, and you’re constantly hunting for new bounties.
It’s not entirely unlike a proper consulting gig, where half your time is spent doing the job, and half your time is spent building a pipeline of future work.
it is pretty lucrative for researchers who are unable to find similarly paying full time jobs in their countries
Only economical way is to collect a salary from the NSA while hunting for the exploits. Otherwise seems too much of a lottery on both discovering a valuable exploit and getting a sufficient payout.
There are brokers for website vulns? This presentation says there are brokers for clientside RCE vulns, but doesn't mention any brokers for website vulns.
https://github.com/mdowd79/presentations/blob/main/bluehat20...
It depends on the vuln and the need. For example, an XSS won’t net you very much, unless the buyer already has a browser RCE but needs a way to deliver it to a target they know uses a particular service or browser, and for that they may need an XSS.
Still won’t net you as much as an RCE, but they do get bought sometimes.
> in this case there is zero moral quandary
And zero legal quandary.
Also true.
I've been on both sides of bug bounties for many years. In truth, no one is offering a comparable bounty to what you can get selling exploits to a reseller. The closest would be Apple or Google with their million dollar bounties for cell phone exploits, but even that is likely underpaying.
The real value of bug bounties is for less sensitive products that aren't really big targets for nation states. Startups with products that haven't seen wide deployment in sensitive industries, for example.
There are many people who are perfectly happy getting "rep" and lower payouts for finding flaws in even the highly targeted applications, thankfully.
> I'm wondering if bounty programs effectively form a low-paid gig economy for programmers.
Most certainly, or those who can't get jobs because of their record but know how to code.
There's a lot of participation from India and other lower-income countries. Not a bad thing - it keeps a fair number of talented school-age kids gainfully employed, and it's a lot more dignified than being paid peanuts for solving captchas.
The highest ROI for me were bugs I found incidentally. Like I was building a client for some auth scheme and... yikes the documentation made it clear they are vulnerable. No POC needed, mostly linked to the part of the spec they forgot.
Bug finding requires theory building and guesswork. You're working blind. Reporting requires detailed technical writing and POC implementation. It's time consuming, so unless you're able to crank out findings or submit the same issue to multiple companies in parallel, the hourly rate will be low. Companies are flooded with low quality reports, so you really need to make the issue crystal clear.
Private bug bounties are better because there's usually obvious issues, but you're racing to be first to report.
Contract security work is much more predictable. Companies who "haven't thought about security before" are desperate for help. You can get more money building a system inventory, recommending updates for EOL systems, finding leaked passwords, and turning on firewalls. Basically engineering teams that know they have issues, but need someone external to make it clear to management that they need to invest in security. I've never failed to find at least one way to get system root or cloud admin rights on those contracts.
My experience participating in Google's program has been pretty good. The reward money is a nice supplement to my grad student stipend. I got a free trip to DEFCON out of it, too.
Here's someone who found 120 bugs in 120 days (in addition to working full time). The bounties totaled $80k.
https://shubs.io/high-frequency-security-bug-hunting-120-day...
I personally know at least one normally functioning person that didn't claim their $1k bounty due to the complexity of that process (also bureaucracy).
Fortunately this is not a problem for me, because I couldn't find anything even if I wanted.
Hot Take: these bug bounty systems are a way to get cheap labor.
Instead of spending the time and money to build secure systems up front, they will offload this to "bounty programs" where the time spent finding vulnerabilities will not match the reward. It's like an unpaid internship, but worse since you are competing with people of varying cost of living requirements.
Yea, a potential $150K bounty sounds is a shit ton of money for a person in a third world country. But for anybody else (given the same time spent finding the vulnerability), there is no financial motivation. Only "fame" via disclosure reports in the security community.
This is the equivalent of a customer asking a professional photographer who is new on the scene to do their photography for free in exchange for "exposure". No, you aren't innovative. You are a cheap asshole.
If it really was a way to get cheap labor, more companies would be doing it.
As it is now, only the largest tech companies with the strongest security records are actually running good bug bounty programs. They have excellent, well-paid security teams and they put systems in place to incentivize all of their employees to write secure code. But, they know that (1) mistakes can still happen, (2) clever vulnerabilities can be discovered that get around code that was previously thought to be following all best practices, and finally they understand very well that (3) if they don't pay, others will.
Unfortunately it's the companies that need it most - like AT&T and Experian - that have the worst track record with rewarding third-party security researchers.
That’s not actually fair.
Defense is very hard. Offense, by comparison, is much easier. An attacker has to win once, and then they’re in.
A defender has to win every time, which is much much harder, if not impossible.
Defender does not have to win every time. That is what defense in depth is all about. Multiple lines of defense.
You’re missing the point, either intentionally or unintentionally.
No matter how many lines of defense in depth you have, protecting the surface area of a product or service is always going to be harder than attacking it.
This is still not nearly enough to reach parity with market prices. Try offering a few million.
If they do that they should also raise their standards to match, no?
We will know AGI is here when an agent can autonomously claim these bounties.
Old news, and didn’t require AGI: https://en.m.wikipedia.org/wiki/2016_Cyber_Grand_Challenge
AIxCC wants to change that
> A logic flaw leading to an accounts.google.com @gmail.com account takeover ($50,000 * 1.5) = $75,000
Should be $10m honestly.
Right, with something that powerful I would just sell the 0-day to highest bidder. Or even use it to commit some fraud. Taking over any @gmail account is a pretty powerful exploit that could lead to a lot of monetary compensation if used correctly. Scary Google only see's that is being worth 75k (way less than one year engineering salary)
Not actually, I am not a law breaker;)
What is the legality of selling an exploit? Are you free and clear, or can you be tagged with enabling a future crime? Would they need to be able to trace a specific incident back to your exploit or get you on a catch-all law?
Bugs are found all the time. Sharing a bug you found is not a crime, but I imagine they can always get you on tax fraud.
There are quite a few "legit" exploit resellers who will gladly pay millions for exploits and report the income to the IRS. They seem to do fine legally so long as their primary customers are govt or quasi-govt agencies. Now, if you decided to sell to an embargoed country I'm sure they'd suddenly declare the exploits munitions and try to lock you up for a long time.
There's no specific law against selling exploits. The problem is the subsequent crime - and if someone wants to pay you a lot of money for a 0-day in Google, it's hard to come up with an explanation other than that they're about to commit a crime.
So, if you knew or should have known, then feigning ignorance won't save you and you won't ba having a good time.
Selling exploits isn’t subject to criminal sanctions
There are no issues reporting the income on tax filings
I'd expect getting involved with bad people would lead to bad outcomes. The "must tie up any loose ends" trope. Too many movies?
You're both missing the point. Consider this: you're a big tech engineer, would you risk your career and many years in jail for 75k? Of course not. How about 5 million? Maybe you would... Big tech already has a massive problem with insider threats, they don't need to offer some of the most clever programmers in the world(their employees) a massive incentive to screw them over.
The point you are missing is that many of us do not have big tech careers. I am very fortunate to have a big tech career, but before I was hit by a stroke of luck, I was doing gig work paycheck to paycheck barely making ends meet. When you can’t see more than two weeks ahead in time, which you cannot do living paycheck to paycheck, you don’t think about the long term consequences because you are not capable of it. The incentive structure is too strong to sell zero days to any external party for those who have nothing to do all day but try to find exploits.
I think GP is suggesting an insider could introduce a bug, have a confederate "find" it, and split the money. At $5m I think more than a few big tech employees might decide to write themselves a new minivan.
I think you'd have a tough time deliberately putting something like that in at a large company. The cost of failure is losing a very good job.
If you discovered a vulnerability and sat on it for a future payout that would be more likely, yet still risky.
Though it does come down to choosing to do crimes in the face of incentives and disincentives. Nothing unique here - humans break the rules all the time.
It's trivial for a motivated engineer to deliberately introduce bugs, most couldn't avoid it if they tried. It wouldn't be too hard to pass it off as an honest mistake either. You might not even lose your job, as a lot of places have a "blameless culture".
That was my first thought. How much does the market pay for an account takeover?
If I'm locked out I'm likely to pay a thousand.
$10M is ridiculously low. Shame on you for even proposing that. It should be $100B at least.
151515.151
These amounts are hilariously low. $150k for a full gmail account takeover is peanuts compared to the potential impact, and the $4k for PII leak on nest.com is frankly just insulting.