I am genuinely surprised that these have been and continue to be so low. Do not know why but I was under the impression, that we had already gotten into the 1 Million USD range. While I do not know how much an interested party would realistically pay for an exploit that enables the complete takeover or even just limited access to a Gmail/Google account, I am pretty sure it has to be an order (perhaps even orders) of magnitude more than 75k.<p>Looked into it and am equally surprised to find that others, like Microsoft [0] also have such low bounties for these types of attacks.<p>While providing such an exploit to the affected company has value beyond the bounty (potential job offers, media exposure, credibility, ethical considerations, etc.), weighing that up against life-changing money really makes it hard to fault those who take the more lucrative route of selling these to the highest bidder, whoever that may be.<p>Seriously, Alphabet and Co. can afford more, especially considering any such exploit would most certainly hit their bottom line/stock far beyond a few 100k.<p>[0] <a href="https://www.microsoft.com/en-us/msrc/bounty" rel="nofollow">https://www.microsoft.com/en-us/msrc/bounty</a>
So if you find several catastrophic vulnerabilities each year, then you can make as much as one of the many people whose jobs it was <i>not</i> to create those vulnerabilities in the first place? :)
Question for the hackers: how much effort goes into solving these bounties, and are they monetarily worth the time?<p>I'm wondering if bounty programs effectively form a low-paid gig economy for programmers.
I personally know at least one normally functioning person that didn't claim their $1k bounty due to the complexity of that process (also bureaucracy).<p>Fortunately this is not a problem for me, because I couldn't find anything even if I wanted.
Hot Take: these bug bounty systems are a way to get cheap labor.<p>Instead of spending the time and money to build secure systems up front, they will offload this to "bounty programs" where the time spent finding vulnerabilities will not match the reward. It's like an unpaid internship, but worse since you are competing with people of varying cost of living requirements.<p>Yea, a potential $150K bounty sounds is a shit ton of money for a person in a third world country. But for anybody else (given the same time spent finding the vulnerability), there is no financial motivation. Only "fame" via disclosure reports in the security community.<p>This is the equivalent of a customer asking a professional photographer who is new on the scene to do their photography for free in exchange for "exposure". No, you aren't innovative. You are a cheap asshole.
These amounts are hilariously low. $150k for a full gmail account takeover is peanuts compared to the potential impact, and the $4k for PII leak on nest.com is frankly just insulting.