Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yes the payout calc by company is cost to the company of an exploit, but with a repeated game scenario.

i.e. you can't look at the bug and payment in a vacuum, you have to factor in future bugs.

So the cost is the value to the company for the exploited bug if used properly plus the expected value of future bugs.

Which is weird, right? This shows companies can be internally incentivized to reduce bug bounty payments to show 'they are improving' when in fact, developers are leaving their bug bounty program.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: