I think this probably isn’t the high end of what one could do if one were big bountying seriously like it were a business, but I suppose that that asymptotically approaches running a security consultancy and may be dominated by doing so. Also, software people: charge more.https://twitter.com/nnwakelam/status/1139640401596305408 …
-
-
You then optimize each phase like a standard pipeline: the scouts are scored on how many leads they generate, the exploit writers grade leads and are scored on how many they get an X/Y/Z severity on, the report writers on converting that to cash quickly.
Show this thread -
I think the lynchpin is probably the exploit writers and that the management style described will be pretty unhappy for them, so you probably compensate by saying that their total target comp is $300k and that it’s entirely remote w/ no questions on work style if they hit
#s.Show this thread -
“What does management do after setting this up?” Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
Show this thread -
“Better terms?” If you’re dominating the internal leaderboard which of these asks is out of bounds: a) A complete description of all their properties b) Heads up about new services c) A named engineering contact and 24 hr response SLA d) A deposit against your future bugs
Show this thread
End of conversation
New conversation -
-
-
Except you can’t get 200 exploits dude on your team with different skill set and approaches
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.