Q: Do you have enough domain knowledge to be judging the incentives ?
Well... I don't know. Does anyone have to be a domain expert to say that security reporting that affects tens or hundreds of million of people should be compensated better than 1k USD?
I dislike a bit the "justified" argument, as very often it dismisses important weak signal warnings. Our work in Security is often about being sensitive and not dismissal. But here you go:
I'm infosec since 1987 (34 years) and never left it, so I'll let you decide ;-) even if i'm a dinosaur in Internet times ;-)
Q: What do you think would be a fair amount ?
IMHO, the fair amount is definitely in the tens of thousands.
But we could attempt a quantified approach, always debatable (Risk = Likelihood * Consequence), eg. Likelihood based on fishing campaign success per country or global, and then mean / average cost of theft when leveraging the full exploit chain (IPC included), i.e. cookies -> auth -> leveraged identity theft impact. And then give percentage of cost as an bounty-based "insurance" mechanism. Not easy but attempt could be done. Surely that would result in way higher compensation.
The Likelihood of this bug being exploited is damn low. It requires the download of an html file, and then the target would have to double click it. On top of that the Consequences of it are not that serious.so you provided you answer as to why the bug only got $1000
Well... I don't know. Does anyone have to be a domain expert to say that security reporting that affects tens or hundreds of million of people should be compensated better than 1k USD?
I dislike a bit the "justified" argument, as very often it dismisses important weak signal warnings. Our work in Security is often about being sensitive and not dismissal. But here you go:
I'm infosec since 1987 (34 years) and never left it, so I'll let you decide ;-) even if i'm a dinosaur in Internet times ;-)
Q: What do you think would be a fair amount ?
IMHO, the fair amount is definitely in the tens of thousands.
But we could attempt a quantified approach, always debatable (Risk = Likelihood * Consequence), eg. Likelihood based on fishing campaign success per country or global, and then mean / average cost of theft when leveraging the full exploit chain (IPC included), i.e. cookies -> auth -> leveraged identity theft impact. And then give percentage of cost as an bounty-based "insurance" mechanism. Not easy but attempt could be done. Surely that would result in way higher compensation.