earlier replies
Replying to @hsultan75 @sirdarckcat @bilcorry
You will notice that some of the things listed are not financial, there's more to it than just money. Cost is only one aspect of this, employee moral matters assuming you work at a company that's not soulless, effect on customers matters as well,...
1
1
Let me rephrase - The cost of a vuln is what $company has to pay for it (money, time, reputation). - The price of a vuln is what $bughunter gets from it (money, fame, glory). - The value is what $company gets from the $vulnerability. With FD is the value-cost<0?
2
How do you put a monetary value on the pain experienced by customers, the mom who lost all photos of her little child to a ransomware exploiting an 0-day ? What's the monetary cost of burnt out employees ? It's not just financial mathematics
1
Easy. Will the knowledge of the vulnerability allow you to prevent new ones from being introduced and exploited in the future? What's the likelihood of exploitation for each? Qualitatively is the knowledge of the vulns today more valuable for your customers in the long term?
2
You could get that knowledge through other means that are less costly. Double the price of the bounty for coordinated disclosure and give 0 to FD, I bet you will achieve better results for cheaper, and that mom will be able to see her little child's photos.
1
1
What are the three options? 0x for FD. 1x for ???. 2x for CD.
1
I *personally* think that a lot of people are able to find bugs, but few are able to build a proper exploit and provide all the details of a solid report. So I could see enabling these people as a potential benefit if you can get automation to do root cause & severity analysis
1
Aside of that, not sure what a median step between CD and FD would be. You guys (as does MS) have lots of internal tooling for debugging / analysis. It appears publicly sometimes but better tooling out there likely would lead to more findings
1
OK, I still suspect the cost of FD is lower than the value we get from at least some bugs, so I still imagine the % wouldn't be 0. That said, marketed vulns with low impact are very likely to cause issues in a %-based calculation.
1
What’s the impetus of the researcher to disclose right away? Why can’t they wait until the vuln is fixed?
1
Replying to @bilcorry @sirdarckcat @hsultan75
Or put another way, if the researcher wants to publish immediately despite the potential harm to the company, would they accept a payment under the same terms, ie publicly disclosed payment instructions, with the first person to follow them getting the payment?

Jul 23, 2019 · 3:39 PM UTC

1
Replying to @bilcorry @hsultan75
I'm mostly thinking about two cases: 1. Cases when doing the research in public helps. Teamwork with the internet or at least your Twitter followers. 2. Cases when reporting the bug ahead of time has downsides for the finder (eg, in CTF tasks).
2
I still think we should encourage research in those forms (and probably others I haven't thought of).