Twitch increases bug bounty payouts after source code leak by... wait, is that it?

Reg reader sighs at 'Orwellian gig economy' sums

Amazon-owned streaming platform Twitch has responded to last week's breach of its source code by increasing bug bounty pay-outs from $3,000 to $5,000, sources have told The Register.

The paltry sum was announced to people signed up to Twitch's bug bounty platform, provided by "crowdsourced cybersecurity" firm Bugcrowd. An email seen by The Register detailed the increase in "base payouts" to members of the scheme last week.

The missive said Twitch was "expanding our scope to capture additional submissions," adding: "We'll be working hard with our Bugcrowd triage team to ensure that legitimate submissions are marked as in scope."

Those increases are as follows:

  • P1: $3,000 -> $5,000
  • P2: $1,800 -> $2,000
  • P3: $300 -> $500
  • P4: $100 -> $300

A Reg reader who received this message remarked: "That's one of the general problems with these bounties – they often don't match the seriousness of the vulnerabilities you find. Personally I find bug bounties a big waste of time and an Orwellian gig economy so will be sitting this one out."

Last week Twitch had its source code and video streamer payout data, among other things, leaked in a 128GB torrent file, prompting much excitement among streamers around who was scoring the largest payout from the site.

Of more interest (certainly to El Reg's readership) was the leak of what looked like Twitch's entire codebase, now available to all of its rivals (and regulators) to pore through at will to discover how the site's ranking and promotion algorithms operate. Given the large sums seemingly being paid out to the top streamers, it might also interest tax authorities around the world.

Twitch blamed the leak on a "server configuration change" that was spotted by a "malicious third party" while insisting that "full credit card numbers" were not exposed – leaving open the possibility that other credit card data was revealed to the world.

Bug bounties are typically a bit bigger than a few hundred or thousand pounds; a computer science student bagged $50k from Shopify this summer after spotting something very similar to the Twitch leak – an access token granting read/write access to Shopify's source code repos.

Although bug bounty companies make a big song and dance about the amounts that can be paid out, in reality five-figure payouts are few and far between. Research from a couple of years ago showed that the top 1 per cent on HackerOne made an average of £26,500 per year ($34,225 at the time).

Advocates of bug bounties say the schemes help encourage responsible security research and reporting, giving people a financial incentive to do the right thing. Critics say they're used as infosec window dressing and people who have spoken to The Register in the past have complained that some companies go to great lengths to minimise payouts by inappropriately downgrading high-severity vulns.

Twitch failed to acknowledge a request for comment. We have yet to hear from Bugcrowd. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Amazon not happy with antitrust law targeting Amazon
    We assume the world's smallest violin is available right now on Prime

    Updated Amazon has blasted a proposed antitrust law that aims to clamp down on anti-competitive practices by Big Tech.

    The American Innovation and Choice Online Act (AICOA) led by Senators Amy Klobuchar (D-MN) and House Representative David Cicilline (D-RI) is a bipartisan bill, with Democrat and Republican support in the Senate and House. It is still making its way through Congress.

    The bill [PDF] prohibits certain "online platforms" from unfairly promoting their own products and services in a way that prevents or hampers third-party businesses in competing. Said platforms with 50 million-plus active monthly users in the US or 100,000-plus US business users, and either $550 billion-plus in annual sales or market cap or a billion-plus worldwide users, that act as a "critical trading partner" for suppliers would be affected. 

    Continue reading
  • Amazon fears it could run out of US warehouse workers by 2024
    Internal research says the hiring pool has already dried up in a number of locations stateside

    Jeff Bezos once believed that Amazon's low-skill worker churn was a good thing as a long-term workforce would mean a "march to mediocrity." He may have to eat his words if an internal memo is accurate.

    First reported by Recode, the company's 2021 research rather bluntly says: "If we continue business as usual, Amazon will deplete the available labor supply in the US network by 2024."

    Some locations will be hit much earlier, with the Phoenix metro area in Arizona expected to exhaust its available labor pool by the end of 2021. The Inland Empire region of California could reach breaking point by the close of this year, according to the research.

    Continue reading
  • Amazon shows off robot warehouse workers that won't complain, quit, unionize...
    Mega-corp insists it's all about 'people and technology working safely and harmoniously together'

    Amazon unveiled its first "fully autonomous mobile robot" and other machines designed to operate alongside human workers at its warehouses.

    In 2012 the e-commerce giant acquired Kiva Systems, a robotics startup, for $775 million. Now, following on from that, Amazon has revealed multiple prototypes powered by AI and computer-vision algorithms, ranging from robotic grippers to moving storage systems, that it has developed over the past decade. The mega-corporation hopes to put them to use in warehouses one day, ostensibly to help staff lift, carry, and scan items more efficiently. 

    Its "autonomous mobile robot" is a disk-shaped device on wheels, and resembles a Roomba. Instead of hoovering crumbs, the machine, named Proteus, carefully slots itself underneath a cart full of packages and pushes it along the factory floor. Amazon said Proteus was designed to work directly with and alongside humans and doesn't have to be constrained to specific locations caged off for safety reasons. 

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Amazon accused of obstructing probe into deadly warehouse collapse
    House Dems demand documents from CEO on facility hit by tornado – or else

    Updated The US House Oversight Committee has told Amazon CEO Andy Jassy to turn over documents pertaining to the collapse of an Amazon warehouse – and if he doesn't, the lawmakers say they will be forced to "consider alternative measures."

    Penned by Oversight Committee members Alexandria Ocasio-Cortez (D-NY), Cori Bush (D-MO) and committee chairwoman Carolyn B. Maloney (D-NY), the letter refers to the destruction of an Edwardsville, Illinois, Amazon fulfillment center in which six people were killed when a tornado hit. It was reported that the facility received two weather warnings about 20 minutes before the tornado struck at 8.27pm on December 10; most staff had headed to a shelter, some to an area where there were no windows but was hard hit by the storm.

    In late March, the Oversight Committee sent a letter to Jassy with a mid-April deadline to hand over a variety of documents, including disaster policies and procedures, communication between managers, employees and contractors, and internal discussion of the tornado and its aftermath.

    Continue reading
  • Engineer sues Amazon for not covering work-from-home internet, electricity bills
    And no, I'm not throwing out this lawsuit, says judge

    Amazon's attempt to dismiss a lawsuit, brought by one of its senior software engineers, asking it to reimburse workers for internet and electricity costs racked up while working from home in the pandemic, has been rejected by a California judge.

    David George Williams sued his employer for refusing to foot his monthly home office expenses, claiming Amazon is violating California's labor laws. The state's Labor Code section 2802 states: "An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer."

    Williams reckons Amazon should not only be paying for its techies' home internet and electricity, but also for any other expenses related to their ad-hoc home office space during the pandemic. Williams sued the cloud giant on behalf of himself and over 4,000 workers employed in California across 12 locations, arguing these costs will range from $50 to $100 per month during the time they were told to stay away from corporate campuses as the coronavirus spread.

    Continue reading
  • Amazon’s Kindle bookstore to quit China
    Local authorities insist the next chapter is not a collapse in foreign investment has decided to end its Kindle digital book business in China.

    A statement posted to the Kindle China WeChat account states that Amazon has already stopped sending new Kindle devices to resellers and will cease operations of the Kindle China e-bookstore on June 30, 2023. The Kindle app will last another year, allowing users to download previously purchased e-books. But after June 30, 2024, Kindle devices in China won’t be able to access content.

    An accompanying FAQ doesn’t offer a reason for the decision, but an Amazon spokesperson told Reuters “We periodically evaluate our offerings and make adjustments, wherever we operate.”

    Continue reading

Biting the hand that feeds IT © 1998–2022