Have you heard the story about the couple who celebrated their 50th wedding anniversary at an elegant restaurant with their three sons? The father was chagrined to find that none of the sons had given them presents for the occasion. After the meal was over, the father said: “There’s something your mother and I have been meaning to tell you for years. We were never married.” The sons gasped and the youngest son blurted: “You mean we are all bastards?” “Yes,” said the father, “and cheap ones too!”
That story came to mind when I read the Telsa bug bounty program award list:
• XSS: $200–$500
• CSRF: $100–$500
• SQL: $500–$1,000
• Command injection: $1,000
• Business logic issues: $100–$300
• Horizontal privilege escalation: $500
• Vertical privilege escalation: $500–$1,000
• Forceful browsing/Insecure direct object references: $100–$500
• Security misconfiguration: Up to $200
• Sensitive data exposure: Up to $300
Given the education, experience, training, expertise, equipment, resources needed to be a first class hacker, how are you going to make a living at $300 for “sensitive data exposure?”
A hack may only take you a few seconds but it isn’t like you are doing piece work in a garment factory. The time it takes to perform a hack shouldn’t be the measure for payment.
If you are seriously interested in improving cybersecurity, unlike the leadership at the U.S. Office of Personnel Management, then don’t be a “cheap bastard,” when it comes to cybersecurity. If that seems unclear, you know where to find me for further details.