Wow, ok. So I took a look at their sales video[0] to figure out what they product is about. And well ...

Today I learned that people in Siberia don't have mailing addresses - at least that's what they claim in their sales video. But luckily with Hackerone you can pay

> [a] security researcher in Siberia who doesn't have a mailing address

...

I find this horribly insulting. (And I'm not even from Russia).

[0] https://youtu.be/1T6GSa0qPNk?t=99

That's me, and I'm quite embarrassed as I never paused to consider how it could be interpreted.

That was a real story. Shortly after we established Facebook's bug bounty program, we received several vulnerabilities from a brilliant computer science student at Tyumen University (in Siberia). His dorm did not accept international mail, he did not have an accepted government ID (didn't drive), and figuring out how to pay him was a multiple month ordeal that Facebook's accounting team was completely not prepared for. It's something that we take for granted but international dispersements to every individual with internet access is actually an extremely challenging and unsolved problem.

That's interesting, and a really good answer. Thanks.

PR piece.

"Because I want to win in the start-up lottery and cash out." would be more honest - and there is nothing wrong with that.

but this claim of making the world a better place - oh come on.

Didn't he already do that? And maybe its some of both - help others, while looking for a good opportunity for self.

He presided over the sale of MySQL to sun. We, non VPs, got screwed there. 5 figures for the top developers, 7 for the vps, 8 for the CEO, and 9 for the founders!

>$5 million in bounties has been paid to 2,000 contributing hackers for finding over 14,000 vulnerabilities

Thats an average of $357/vuln - or $2,500 per "hacker" -- or if you assume everyone shared the 357/vuln that would only equate to $.17 per hacker per vuln.

That seems really really low.

What % of the $5MM or the 14K did the top hacker or group take home?

How long is the tail of zero $$ per hacker in the community of the 2K?

(I met the founder on bart some time ago and was trying to get their services at my last company, and I was just literally this morning thinking about H1 as I need to have my PII SaaS system evaluated... but I am interested in the economics of this as well)

Great questions. We'll line up a more analytical post on the topic as I don't know all the answers here, and we all should. In the interim, here's a few rough from memory answers:

> Thats an average of $357/vuln

The 14,000 includes resolved bugs where no reward was offered (Bounties are optional with ~40% of programs not offering any. i.e., "responsible disclosure", a drop in replacement for security@company.com). If you reduce the set to reports where a reward was offered, the average is closer to $750.

> What % of the $5MM or the 14K did the top hacker or group take home?

The top earner last year took $280k.

> How long is the tail of zero $$ per hacker in the community of the 2K?

This is a diverse group. Several hundred are active "hackers" driven financially. The rest are developers, hobbyist, technical consumers, who just happened to get curious about something in particular or even stumbled across a security problem in passing (this is far more common than you'd reasonably expect).

Sounds like Fiverr for QA and testing. I just hope the quality is better than that what you get from your average Fiverr job :)