Defensive efforts to patch vulnerabilities have little effect on exploits. They usually die from unrelated code churn.pic.twitter.com/cVZRZwrVzQ
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Extraordinarily few people are capable of professional exploit development, an order of magnitude less than the number of bug bounty hunterspic.twitter.com/G1rD45w0xz
To those dismissing this RAND report: Ignore it at your own peril. This is the best data ever released on real exploit development, period.
who is dismissing it?
I’ve seen several people take issue with it. @taviso being one of them. (I think it’s excellent, IMO).
I think you must be thinking of @halvarflake, I'm not involved.
Didn’t you mention something about Full Disclosure?
Unrelated.
what is this thread and how did I get here? ;)
does that mean that increased demand for exploits by intel & LE worldwide would not affect the bug bounty market economics? @k8em0
According to the data in this report, bug bounties have little to no impact on the day to day lives of pro exploit devs.
so exploit markets and bug bounties do not compete for talent in the same pool?
It is strongly implied that they do not overlap for BUSBY, the subject of the study.
That's a pretty huge claim. Is it over-generalized? Occasionally very good bugs come through bounty programs...
Even if it is a tiny percentage of bounty submissions, it can be a sizable proportion of bugs that are interesting to exploit devs
I believe the focus here is the level of expertise required for respectable exploit development
Not necessarily the perceived interest of submitted bugs by exploit developers.
For skill and techniques, sure, big divergence, but little overlap in bugs implies bounties have near zero value
IMHO there's no correlation being drawn here to the value of bug bounties at all. Nobody is denying their value.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.