They pay much less than selling the equivalent vulnerabilities to unnamed entities (there are brokers for it).
But, and this is the important part, in this case there is zero moral quandary, whereas when selling an 0day there is a significant moral question depending on who you’re selling to.
Some people do make it their full time gig, but it’s fairly unpredictable is the issue; much like “gig work,” you’re not guaranteed to find a vuln, and the timing between findings is going to be inconsistent at best.
It's also easier than "gray market" sales. Bug bounties pay for a wider variety of bugs, including plenty of stuff that's of no interest to your perhaps-Saudi buyers; and they don't require you to develop a weaponized exploit - "hey, I noticed this crashes" is often enough.
Plus, less risk of waking up and finding out you've been sanctioned by OFAC or something like that.
They're rich, don't hold civil liberties in high esteem, and don't have a lot of in-house expertise. So, yeah - along with some neighboring states, they're a buyer for tools they use to target journalists, dissidents, etc.
China and Russia are on the same boat, but they are far more capable with in-house tech.
OK i see, re-reading this with your top level post is "not all vulnerabilities are the type that could be bought by (insert state actor)", which makes sense (for some reason I thought you meant that they were buying the type of bugs that would end up getting reported to a BBP, but I just misread the original comment).
And yes the Saudis definitely bought software from NSO Group but it's also been used by plenty of other governments, including half the EU...
(Israel is known to be prolific; many brokers and the whole industry on all sides has a lot of people and entities from Israel. Saudi is publically obv active due to stories like MSB pwning Bezos over Whatsapp)
Fair enough, but do people claim them after finding them by accident? Or do people see a bounty and then put in up to X hours of effort (before either succeeding or giving up)? Does that model end up with a reasonable hourly rate?
I'm trying to figure out the labor-side economics of this.
Generally the supply side is getting a massive discount on these vulnerabilities compared to their potential costs. Although perhaps the discount applies is appropriate considering how few vulnerabilities do result in observable expense.
The economics of bug bounties from a “bug hunters” perspective are quite interesting! I’m going to give the short version.
There are public (such as the one being discussed here) and private programs.
To gain access to private programs you have to be invited to participate - you get an invite usually based on reputation for providing good reports on public programs.
Platforms like H1 and BugCrowd act as intermediaries for this, with reputation scores, etc.
It should also be noted here that if you rediscover a bug someone else reported, you don’t usually get paid.
With public BBP/VRP, you are competing against everyone in the space against a relatively limited subset of targets. The way to “win” is to either “go deep” against high payout targets, expending a lot of effort in the hopes of avoiding a duplicate finding, or to invest heavily in automation, or some combination of the above.
With private programs you are competing against many less people and have a higher probability of payout for time/effort expended.
The guys who tend to make a shitload of money off BBP/VRP either are focused solely on a handful of high payout targets, or have invested heavily in automation to grind public programs, gain invites to private ones, and repeat.
A lot of the better offerings in the “continuous vuln scanning” or “attack surface monitoring” market are from people who have been “full time” bounty hunters for a while, built out significant automation platforms, and pivoted to offering it as SaaS products to enterprise for detection of issues.
There’s a lot more to it, but it’s probably worth a blog post at some point tbh.
In my own experience, as someone who has participated in bug bounties and vuln disclosure programmes in my free time for about a decade now, I usually land a couple of nice payouts per year and a lot of issues reported without payment.
It is uncertain work. As well as finding the exploit, you've got to write it up in such a way that it is convincing to the people reading it. Then you have to argue with them if they don't accept it. You have to pay currency conversion fees and, depending on where you live, tax on income.
That's a lot of work. But it is significantly easier (I imagine) than selling to the mafia. The bad guys don't have a publicly available schedule of payments. And if they don't pay, you can't complain publicly.
Both. And the issue about trying to relate it to an hourly rate is the immense unpredictability. Some months (and some companies) may have a lot of vulns in a new product and it’s open season for a bit, but then it slows down, and you’re constantly hunting for new bounties.
It’s not entirely unlike a proper consulting gig, where half your time is spent doing the job, and half your time is spent building a pipeline of future work.
Only economical way is to collect a salary from the NSA while hunting for the exploits. Otherwise seems too much of a lottery on both discovering a valuable exploit and getting a sufficient payout.
There are brokers for website vulns? This presentation says there are brokers for clientside RCE vulns, but doesn't mention any brokers for website vulns.
It depends on the vuln and the need. For example, an XSS won’t net you very much, unless the buyer already has a browser RCE but needs a way to deliver it to a target they know uses a particular service or browser, and for that they may need an XSS.
Still won’t net you as much as an RCE, but they do get bought sometimes.
But, and this is the important part, in this case there is zero moral quandary, whereas when selling an 0day there is a significant moral question depending on who you’re selling to.
Some people do make it their full time gig, but it’s fairly unpredictable is the issue; much like “gig work,” you’re not guaranteed to find a vuln, and the timing between findings is going to be inconsistent at best.