Here's an honest question: why do people still bother with the 'responsible disclosure' nonsense? What's in it for them? Days of work, weeks of waiting and frustration, for a 'mention' in some imaginary 'hall of fame'? $1mm over 1500 bugs, that's $666 / bug. That's about a day worth of work if your rates are low and you are in a low CoL area, or half a day or less if you work for Google.
I take it that people who find these vulns do it for fun, even if it's their job - if you don't have a contract to start looking for issues, there is no reason to do so other than fun. So the only reason people bother with 'responsible disclosure' is, as far as I can tell, because not doing so would damage their public persona. But it only got to that point because big vendors pushed the moral superiority of 'responsible disclosure' on us over the last decade. Back in the 1990's (when I was last sort of active in the scene), nobody would think of giving vendors weeks or months of time to fix their own damned bugs - if your PoC exploit worked at 3am (with real, working shell code, none of that 'call ::MessageBox(NULL, "U got 0wned") nonsense), you'd post it to bugtraq at 3:15 so that you could see the responses when you got out of bed in the morning.
I think it's fairly simple: if you get Google to accept that there's indeed a problem, they'll fix it and 100% of the possible victims of this exploit are now safe. If you disclose it non-responsibly, you are letting a pretty big crowd know there's a problem, while leaving a time window open for them to exploit it and pretty much assuring that someone will get "0wned". By disclosing responsibly, you are making sure that the least possible number of users are affected.
It's not about the hall of fame. Is about making the web a safer place.
Okay, maybe it says something about me as a person, but I can't quite understand that as a reason. I mean, I understand why people volunteer at a soup kitchen, but not this. Why would somebody go out to protect some unknown people on the internet from the mistakes of a for-profit company that is probably screwing over those same people, and themselves, in 100 other ways? I'm not anti-corporations or anything like that, but I do recognize that they are looking out for themselves (as is their right), I don't understand why everybody who deals with them in some way or another doesn't do that, too.
Plus - the fastest way of getting a vuln fixed is by having it out in the open, hopefully in a way so public that the affected companies' PR department needs to get involved. That at least incentivizes them to proactively look for issues, rather than set up a security@ alias, hire some well-known names from the scene to fix issues send there and calm the pocket protector crowd when shit hits the fan (cough, ctrl-f this page for examples), and pay reporters a fraction of the market value of their work (if anything at all).
I suspect that for most security bugfinders, the people they are protecting are not the giant corporations, it's the grandmas whose computers will be pwned within about a day or two of a 0-day hitting the open market. The number of people who read security blogs is miniscule compared to the number of people who use products with security flaws. You are not going to convince most of the latter to read vulnerabilities, but they're the ones who get hurt when a bug makes it out into the open unreported.
* I do recognize that they are looking out for themselves (as is their right), I don't understand why everybody who deals with them in some way or another doesn't do that*
But in what way is responsible disclosure not looking out for oneself? Even if you don't care about the potential reputation hit of releasing non-responsibly, how are you better of by not waiting a couple of weeks or so?
this is more like volunteering to clean up broken glass from your local park than volunteering at a soup kitchen. the internet is a shared public space, and some of the inhabitants are better equipped to help improve it for everyone.
I think a lot of it is the kudos. If they are interested in security research (or just breaking stuff) either as a learning experience or a challenge, then they might be doing these things anyway. Once something is found, what do you do with it? File it and enjoy the inner glow of pride perhaps, but if someone like Google publicly acknowledges your achievement it becomes a validated success that goes on your CV and/or gets talked about in an interview as a measure of your knowledge/skill. Even ignoring the CV/interview: in some circles it is worth it just for the bragging rights.
The money is a secondary issue IMO. For some it is encouragement to try again and potentially find something else useful to submit, for others it is an alternative to flogging the exploit for more on relevant forums (though without the right contacts I expect getting good money this way is not as easy as some suggest). For others it is just a happy little bonus, they'd keep going anyway and continue to submit their findings but they're not daft enough to turn down a little cash if offered.
And of course the tertiary issue is that you are helping to improve the security (and/or reliability more generally) of a product that you yourself rely upon, and therefore want to see improved as far as is possible in terms of security and reliability.
The average pay-out is not a terribly good measure though: people aren't aiming for the average and the payout for critical issues is much higher. There are quite a few awards for more minor issues which are easier to find (and sometimes are found by relatively effort free semi-automated methods) which skews the average making the effort of finding one of those critical issues look less rewarding that it actually could be.
Motivations vary, and it's not for everyone - but we're quite happy with the participation we're getting out of it.
FWIW, the average amount is sort of meaningless: we pay between $3k and $20k for high-impact bugs.
There are also some researchers who prefer quantity over quality, and go after low-hanging fruit in acquisitions and isolated, non-sensitive services - often using custom automated tools. These findings usually pay around $100, skewing the total.
I take it that people who find these vulns do it for fun, even if it's their job - if you don't have a contract to start looking for issues, there is no reason to do so other than fun. So the only reason people bother with 'responsible disclosure' is, as far as I can tell, because not doing so would damage their public persona. But it only got to that point because big vendors pushed the moral superiority of 'responsible disclosure' on us over the last decade. Back in the 1990's (when I was last sort of active in the scene), nobody would think of giving vendors weeks or months of time to fix their own damned bugs - if your PoC exploit worked at 3am (with real, working shell code, none of that 'call ::MessageBox(NULL, "U got 0wned") nonsense), you'd post it to bugtraq at 3:15 so that you could see the responses when you got out of bed in the morning.