,
9 tweets,
2 min read
Read on Twitter
I think this probably isn’t the high end of what one could do if one were big bountying seriously like it were a business, but I suppose that that asymptotically approaches running a security consultancy and may be dominated by doing so.
Also, software people: charge more.
Also, software people: charge more.
Theoretically as a rational consultant one should want to command much higher rates for doing work in advance of a commitment to payment, which is the bug bounty model, but in practice this isn’t true of any bugs which require material human effort to find.
I think this is *partially* a function between bug bounties successfully arbitraging the cost of work versus play and the wages due to people who could pass an interview loop at a bounty target and those who can beat the engineers who did pass that interview loop.
(Part of the second is regulatory arbitrage, where companies seem to be much more comfortable doing a bug bounty than doing employment or a “real” consulting contract over international boundaries.)
Anyhow if you hypothetically put a gun to my head and said “Maximize the profits of a bug bounty shop” I’d specialize the labor: a bench of devs doing tool writing, cheap folks operating scanners, an exploit group, and report writers / submissions managers.
You then optimize each phase like a standard pipeline: the scouts are scored on how many leads they generate, the exploit writers grade leads and are scored on how many they get an X/Y/Z severity on, the report writers on converting that to cash quickly.
I think the lynchpin is probably the exploit writers and that the management style described will be pretty unhappy for them, so you probably compensate by saying that their total target comp is $300k and that it’s entirely remote w/ no questions on work style if they hit #s.
“What does management do after setting this up?”
Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
“Better terms?”
If you’re dominating the internal leaderboard which of these asks is out of bounds:
a) A complete description of all their properties
b) Heads up about new services
c) A named engineering contact and 24 hr response SLA
d) A deposit against your future bugs
If you’re dominating the internal leaderboard which of these asks is out of bounds:
a) A complete description of all their properties
b) Heads up about new services
c) A named engineering contact and 24 hr response SLA
d) A deposit against your future bugs
