Twitter | Search | |
Katie Moussouris
This is why bug bounties MUST NOT exceed the price a developer or tester would make in salary. This is why those $250,000 bug bounties for side channel vulnerabilities are too high. We're damaging the defense pipeline w perverse incentives for bug hunters.
Reply Retweet Like More
Jon McCoy 17 Mar 18
Replying to @mattblaze @k8em0
I kinda hope a $250K bug bounty will encourage $250K jobs : )
Reply Retweet Like
Matt King 17 Mar 18
Replying to @k8em0
You are massively underestimating the effort and cost required to develop side channel attacks. $250k is stupid cheap for a novel side channel. Absolutely no-one is quitting their day job over this bounty. And probably still wouldn't if it was 10x higher.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @syncsrc
Ok, pal. Like it didn't already happen at Apple, & current and former MS & chip maker employees, plus salaried penetration testers hired to find these, aren't right this minute weighing their options.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @thejonmccoy @mattblaze
Ok, say billion-dollar companies start paying that much to employees who code & test. Can start-ups keep up? How many bug bounty *platform* engineers make $250,000? You think they aren't tempted to collude or quit or both? At what point does a start-up need to raise salaries?
Reply Retweet Like
Matt King 17 Mar 18
Replying to @k8em0 @Riscure @tehjh
Excluding , the other teams that found Spectre/Meltdown spent multiple person-years of combined effort. All of those researchers can easily command six figure salaries, which is more than this bounty would have paid out.
Reply Retweet Like
Tim Dierks 17 Mar 18
I can see the point on collusion, but it's a lot easier to fix bugs than it is to find them, and market dynamics can take care of supply and demand, I think. And incentives flowing towards not releasing buggy software to pay less bounties seem aligned to me.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Equipment barrier to entry you say? That's never been gutted with innovation before. Neither of course, has anyone ever written a tool to quickly find things that took manual labor to find before. Your argument assumes the state of difficulty/innovation for research is static.
Reply Retweet Like
Katie Moussouris 17 Mar 18
It's by no means "a lot easier to fix bugs than to find them". Not even going to waste more time arguing nuance on a platform never designed for it. That's enough. Peace, Tweeps.
Reply Retweet Like
Alex Ionescu 17 Mar 18
Replying to @k8em0
The “balanced to salary” argument is also hard to make in light of internationally scoped bounties that pay in US dollars vs. local currency. See Pwn2Own and it’s relationship to Chinese researchers.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @aionescu
Can't compete with the offense market on price, Alex. It's what I've been saying for years.
Reply Retweet Like
Alex Ionescu 17 Mar 18
Replying to @k8em0
That market**
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @aionescu
Come to my RSA talk then. ;)
Reply Retweet Like
Eduardo Vela 17 Mar 18
Replying to @k8em0
Might be true for low-hanging fruit, but once bugs become hard to find, the cost of switching from defense to bug hunting becomes too high.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @sirdarckcat
The fruit lowers as innovation increases.
Reply Retweet Like
Jann Horn 17 Mar 18
Replying to @k8em0 @syncsrc
to me, your points seem more applicable to bounties for normal software bugs than to this specific case
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @tehjh @syncsrc
Twitter isn't the place to debate this. I've been saying that there's a point where bug bounties won't get you what you want. Go too high, you kill your hiring pipeline. Higher skilled folks don't want to gamble, exactly right. This is the price point of perverse incentives.
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @notdan
Not at all what I said. :)
Reply Retweet Like
Matt King 17 Mar 18
Replying to @k8em0 @tehjh
I don't think anyone's disagreeing on anything other than the appropriate price point for a given class of bug. I'm more than happy to pick up the bar tab for that debate. :)
Reply Retweet Like
Katie Moussouris 17 Mar 18
Replying to @syncsrc @tehjh
Deal. :)
Reply Retweet Like