Amazon-owned streaming platform Twitch has responded to last week’s breach of its source code by increasing bug bounty pay-outs from $3,000 to $5,000, sources have told The Register.
The paltry sum was announced to people signed up to Twitch’s bug bounty platform, provided by “crowdsourced cybersecurity” firm Bugcrowd. An email seen by The Register detailed the increase in “base payouts” to members of the scheme last week.
The missive said Twitch was “expanding our scope to capture additional submissions,” adding: “We’ll be working hard with our Bugcrowd triage team to ensure that legitimate submissions are marked as in scope.”
Those increases are as follows:
- P1: $3,000 -> $5,000
- P2: $1,800 -> $2,000
- P3: $300 -> $500
- P4: $100 -> $300
A Reg reader who received this message remarked: “That’s one of the general problems with these bounties – they often don’t match the seriousness of the vulnerabilities you find. Personally I find bug bounties a big waste of time and an Orwellian gig economy so will be sitting this one out.”
Last week Twitch had its source code and video streamer payout data, among other things, leaked in a 128GB torrent file, prompting much excitement among streamers around who was scoring the largest payout from the site.
Of more interest (certainly to El Reg‘s readership) was the leak of what looked like Twitch’s entire codebase, now available to all of its rivals (and regulators) to pore through at will to discover how the site’s ranking and promotion algorithms operate. Given the large sums seemingly being paid out to the top streamers, it might also interest tax authorities around the world.
Twitch blamed the leak on a “server configuration change” that was spotted by a “malicious third party” while insisting that “full credit card numbers” were not exposed – leaving open the possibility that other credit card data was revealed to the world.
Bug bounties are typically a bit bigger than a few hundred or thousand pounds; a computer science student bagged $50k from Shopify this summer after spotting something very similar to the Twitch leak – an access token granting read/write access to Shopify’s source code repos.
Although bug bounty companies make a big song and dance about the amounts that can be paid out, in reality five-figure payouts are few and far between. Research from a couple of years ago showed that the top 1 per cent on HackerOne made an average of £26,500 per year ($34,225 at the time).
Advocates of bug bounties say the schemes help encourage responsible security research and reporting, giving people a financial incentive to do the right thing. Critics say they’re used as infosec window dressing and people who have spoken to The Register in the past have complained that some companies go to great lengths to minimise payouts by inappropriately downgrading high-severity vulns.
Twitch failed to acknowledge a request for comment. We have yet to hear from Bugcrowd. ®