, 9 tweets, 2 min read Read on Twitter
I think this probably isn’t the high end of what one could do if one were big bountying seriously like it were a business, but I suppose that that asymptotically approaches running a security consultancy and may be dominated by doing so.

Also, software people: charge more.
Theoretically as a rational consultant one should want to command much higher rates for doing work in advance of a commitment to payment, which is the bug bounty model, but in practice this isn’t true of any bugs which require material human effort to find.
I think this is *partially* a function between bug bounties successfully arbitraging the cost of work versus play and the wages due to people who could pass an interview loop at a bounty target and those who can beat the engineers who did pass that interview loop.
(Part of the second is regulatory arbitrage, where companies seem to be much more comfortable doing a bug bounty than doing employment or a “real” consulting contract over international boundaries.)
Anyhow if you hypothetically put a gun to my head and said “Maximize the profits of a bug bounty shop” I’d specialize the labor: a bench of devs doing tool writing, cheap folks operating scanners, an exploit group, and report writers / submissions managers.
You then optimize each phase like a standard pipeline: the scouts are scored on how many leads they generate, the exploit writers grade leads and are scored on how many they get an X/Y/Z severity on, the report writers on converting that to cash quickly.
I think the lynchpin is probably the exploit writers and that the management style described will be pretty unhappy for them, so you probably compensate by saying that their total target comp is $300k and that it’s entirely remote w/ no questions on work style if they hit #s.
“What does management do after setting this up?”

Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
“Better terms?”

If you’re dominating the internal leaderboard which of these asks is out of bounds:

a) A complete description of all their properties
b) Heads up about new services
c) A named engineering contact and 24 hr response SLA
d) A deposit against your future bugs
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Patrick McKenzie
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!