Bug bounty payouts are not effort based. It does not matter how much time it too... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

kccqzy 84 days ago | parent | context | favorite | on: Leaking the email of any YouTube user for $10k

Bug bounty payouts are not effort based. It does not matter how much time it took the discoverer to find the vulnerability. So discussing the amount of work involved is irrelevant; it's not like the kindergarten level "oh you tried so there's a consolation prize for effort". Comparing it against the fixed rate salary of a SWE is even more wrong, except that your argument shows it is more profitable for a hypothetical person relying on bug bounty income to instead join Google as an internal red teamer.

The other comment has already addressed the market value question.

blagie 84 days ago [–]

Unless you can stumble on Google vulnerabilities casually, it's showing quite the opposite -- how unprofitable it is to work from bug bounties.

kccqzy 84 days ago | [–]

It's not the opposite. We are in fact not disagreeing. It's unprofitable to work from bug bounties. It is better off for the person to become an internal red teamer.

Consider applying for YC's Summer 2025 batch! Applications are open till May 13
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact