Hot Take: these bug bounty systems are a way to get cheap labor.
Instead of spending the time and money to build secure systems up front, they will offload this to "bounty programs" where the time spent finding vulnerabilities will not match the reward. It's like an unpaid internship, but worse since you are competing with people of varying cost of living requirements.
Yea, a potential $150K bounty sounds is a shit ton of money for a person in a third world country. But for anybody else (given the same time spent finding the vulnerability), there is no financial motivation. Only "fame" via disclosure reports in the security community.
This is the equivalent of a customer asking a professional photographer who is new on the scene to do their photography for free in exchange for "exposure". No, you aren't innovative. You are a cheap asshole.
If it really was a way to get cheap labor, more companies would be doing it.
As it is now, only the largest tech companies with the strongest security records are actually running good bug bounty programs. They have excellent, well-paid security teams and they put systems in place to incentivize all of their employees to write secure code. But, they know that (1) mistakes can still happen, (2) clever vulnerabilities can be discovered that get around code that was previously thought to be following all best practices, and finally they understand very well that (3) if they don't pay, others will.
Unfortunately it's the companies that need it most - like AT&T and Experian - that have the worst track record with rewarding third-party security researchers.
You’re missing the point, either intentionally or unintentionally.
No matter how many lines of defense in depth you have, protecting the surface area of a product or service is always going to be harder than attacking it.
Instead of spending the time and money to build secure systems up front, they will offload this to "bounty programs" where the time spent finding vulnerabilities will not match the reward. It's like an unpaid internship, but worse since you are competing with people of varying cost of living requirements.
Yea, a potential $150K bounty sounds is a shit ton of money for a person in a third world country. But for anybody else (given the same time spent finding the vulnerability), there is no financial motivation. Only "fame" via disclosure reports in the security community.
This is the equivalent of a customer asking a professional photographer who is new on the scene to do their photography for free in exchange for "exposure". No, you aren't innovative. You are a cheap asshole.