The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.

It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.

As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will go. This in turn will allow you to make money on many other programs.

It's not easy to become a top whitehat hacker, but if you do, the rewards are significant.

Here is how HackerOne celebrated the $500,000 milestone for a hacker: https://www.hackerone.com/blog/mlitchfield-Earned-500000-on-HackerOne

(Sorry for first posting this as Anonymous Coward. I had forgotten to sign in.)

Just Stop.

We didn't want disney to do it's own network, we barely tolerate hulu which is consumer-antagonistic in its practices.

There's a reason a lot of us have deleted our facebook accounts, and that's because facebook does a piss poor job of managing its feed as-is. If you think this sort of gimmick will bring us back, you're wrong.

stop "other search engines" nonsense automatically adding every website search form I use to your collection of things you try to do on my behalf. Til you stop doing stupid shit in your apps, you have no business telling anyone else what to do.

your text paints like I'm on a 300 baud modem and the scroll buffer is unusable. Fix fundamental issues with the app, you can already get far better console apps like cmder for windows, you should worry about coming to usability parity before freaking colors.

This is one of the reasons I've stopped using google for a lot of things lately. I should have seen the writing on the wall when they forced us all to have google+ accounts, for a site I haven't looked at in I can't even tell you how long. I wish they'd split youtube off into its own separate entity again so I could kill all my google usage.

This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it to a service like HackerOne, and the market for that vuln is over. Although asymmetry is usually in the favor of the criminal actor, in this case it is in the favor of ethical behavior. One ethical hacker can put an end to the sale of a 0day on the black market.

What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.

Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.

See, that implies that we don't have lower end engineers learning these skills that we've hired also, which is false, because we most certainly do. But the competition for these candidates is fierce, so we can't get people to do the work right now that needs to be done while we train them. Your ability to not grasp the obvious is astounding.

as someone who has a mix of both H1B and american workers under his care, I can tell you this: if you want high end technical labor, we simply DO NOT have enough qualified candidates here in the united states. We eat up EVERY SINGLE ONE that we can get our hands on that is an american citizen or has permanent resident status that is qualified when we have an opening, because going through the process of hiring high end candidates is time consuming and a drain on your resources. If you think we're paying the people with these visas garbage salaries either, you're wrong. We have rigorous interview processes and after 1 year of employment we work to make sure we keep that talent inside the country with an EB-2 green card application which we pay extra for to fast track. If you think you're qualified for one of these jobs that we have an open req for, please by all means apply.

And I'm sorry, doing tech support at best buy does not qualify you for a 200k/yr data scientist role. Unless you have a masters degree or are amazing enough to not require higher education (or have equiv job experience, that's fine too) then go ahead. I'm sorry but our universities just aren't putting out enough talent at this level that isn't already snatched up. It's a competitive market and even paying well we often have to go outside of the country to find qualified candidates (or to those already in the country who have H1-B visas and are authorized to work).

LET ME BE VERY CLEAR HERE: We are not talking about entry level positions. we are not talking about outsourcing your job to india. we're talking about someone with the background and knowledge to actually do the work that we need to do without spending years training them. This is what your google, facebook, microsoft, and yes, godaddy too, are trying to make sure is getting across to folks.