I think this probably isn’t the high end of what one could do if one were big bountying seriously like it were a business, but I suppose that that asymptotically approaches running a security consultancy and may be dominated by doing so. Also, software people: charge more.https://twitter.com/nnwakelam/status/1139640401596305408 …
-
-
I think this is *partially* a function between bug bounties successfully arbitraging the cost of work versus play and the wages due to people who could pass an interview loop at a bounty target and those who can beat the engineers who did pass that interview loop.
Show this thread -
(Part of the second is regulatory arbitrage, where companies seem to be much more comfortable doing a bug bounty than doing employment or a “real” consulting contract over international boundaries.)
Show this thread -
Anyhow if you hypothetically put a gun to my head and said “Maximize the profits of a bug bounty shop” I’d specialize the labor: a bench of devs doing tool writing, cheap folks operating scanners, an exploit group, and report writers / submissions managers.
Show this thread -
You then optimize each phase like a standard pipeline: the scouts are scored on how many leads they generate, the exploit writers grade leads and are scored on how many they get an X/Y/Z severity on, the report writers on converting that to cash quickly.
Show this thread -
I think the lynchpin is probably the exploit writers and that the management style described will be pretty unhappy for them, so you probably compensate by saying that their total target comp is $300k and that it’s entirely remote w/ no questions on work style if they hit
#s.Show this thread -
“What does management do after setting this up?” Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
Show this thread -
“Better terms?” If you’re dominating the internal leaderboard which of these asks is out of bounds: a) A complete description of all their properties b) Heads up about new services c) A named engineering contact and 24 hr response SLA d) A deposit against your future bugs
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.