Twitch increases bug bounty payouts after source code leak by... wait, is that it?

Reg reader sighs at 'Orwellian gig economy' sums


Amazon-owned streaming platform Twitch has responded to last week's breach of its source code by increasing bug bounty pay-outs from $3,000 to $5,000, sources have told The Register.

The paltry sum was announced to people signed up to Twitch's bug bounty platform, provided by "crowdsourced cybersecurity" firm Bugcrowd. An email seen by The Register detailed the increase in "base payouts" to members of the scheme last week.

The missive said Twitch was "expanding our scope to capture additional submissions," adding: "We'll be working hard with our Bugcrowd triage team to ensure that legitimate submissions are marked as in scope."

Those increases are as follows:

  • P1: $3,000 -> $5,000
  • P2: $1,800 -> $2,000
  • P3: $300 -> $500
  • P4: $100 -> $300

A Reg reader who received this message remarked: "That's one of the general problems with these bounties – they often don't match the seriousness of the vulnerabilities you find. Personally I find bug bounties a big waste of time and an Orwellian gig economy so will be sitting this one out."

Last week Twitch had its source code and video streamer payout data, among other things, leaked in a 128GB torrent file, prompting much excitement among streamers around who was scoring the largest payout from the site.

Of more interest (certainly to El Reg's readership) was the leak of what looked like Twitch's entire codebase, now available to all of its rivals (and regulators) to pore through at will to discover how the site's ranking and promotion algorithms operate. Given the large sums seemingly being paid out to the top streamers, it might also interest tax authorities around the world.

Twitch blamed the leak on a "server configuration change" that was spotted by a "malicious third party" while insisting that "full credit card numbers" were not exposed – leaving open the possibility that other credit card data was revealed to the world.

Bug bounties are typically a bit bigger than a few hundred or thousand pounds; a computer science student bagged $50k from Shopify this summer after spotting something very similar to the Twitch leak – an access token granting read/write access to Shopify's source code repos.

Although bug bounty companies make a big song and dance about the amounts that can be paid out, in reality five-figure payouts are few and far between. Research from a couple of years ago showed that the top 1 per cent on HackerOne made an average of £26,500 per year ($34,225 at the time).

Advocates of bug bounties say the schemes help encourage responsible security research and reporting, giving people a financial incentive to do the right thing. Critics say they're used as infosec window dressing and people who have spoken to The Register in the past have complained that some companies go to great lengths to minimise payouts by inappropriately downgrading high-severity vulns.

Twitch failed to acknowledge a request for comment. We have yet to hear from Bugcrowd. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022