Open source is a bare minimum, although even that's not worth as much given how much harder it is now to load extensions that you've compiled yourself.
But those features you're talking about sound like they need extensive privileges within the browser. And while your extension might do what it says today, what's stopping you sticking a load of malware and adverts in there tomorrow? Or selling it to someone else who does?
If the author is an established person whose been known for years to develop good quality extensions and not sell out, then that gives some assurance. If it's an organisation like the EFF, even better?
But a random anonymous person making their first extension? No chance.
I remember seeing a prank program years ago that showed the SETI@home screensaver for a bit, then popped up an alert box saying "Alien Life Found!" with options to submit or cancel(!).
If you tried to submit it would spend a while with a really slow progress bar, and then say it failed to submit and asked you to contact SETI directly. I wonder if anyone actually did....
There's also the issue of what happens to my money as a researcher. Is it paid to the company, or is someone holding it in escrow? What if it takes the developer months to respond, or they never do? Do they just get to keep my money indefinitely? What if the vendor pulls out of the scheme? What if I do a chargeback on the payment I made? Etc, etc
I wonder if a better model would be to make the platform pay to entry, but not the specific bugs? So you have to pay a fee to gain access to a platform like HackerOne, and if your signal:noise ratio gets too bad then your account gets revoked? That would make it feel like less of a gamble than having to pay for every individual bug - but still has the same problem that it's putting a big barrier in front of legitimate good-faith researchers.
A problem with this approach is that one of the key functions of a bug bounty program is to encourage people to report vulnerabilities to the developers, rather than selling them elsewhere.
If I have to pay money to submit a vulnerability to the developers with no guarantee that I'll even get refunded for a high quality and good faith report, let alone any actual payout, there's much less incentive for me to do so compared to selling them to someone else who won't charge me money for the privilege.
In a past life I was deeply involved in the operation of a bug bounty program. Discouraging people from selling on the black market was nowhere on the list of motivations.
We wanted to encourage white hat security researchers to look at our domain rather than other domains so we could collect more data on the kinds of vulns that appeared in our domain to help prioritize efforts that would fix the root causes of recurring bug patterns.
I've also submitted bug bounties and received rewards and I've worked with a bunch of other people who have done this. At no point did I even consider selling on the black market and I suspect that my friends from grad school were the same way.
Maybe the $1,000,000 bounties for zero click rce on iphones or whatever exist to discourage selling on the black market, but I'm not even sure that is true. "Well, I'll just find a way to sell this to the russian mob" is not exactly something that is on the radar of the vast majority of security researchers.
The reality is that most people's thoughts on bug bounties are from salacious headlines talking about those $1M vulnerabilities. In reality the average bug bounty submission is a machine translated report for a low severity issue in a web app that may or may not even exist (or be a vulnerability), sprayed at hundreds of companies (or the same company a hundred times) in the hopes of earning $500 to basically do currency manipulation.
There are plenty of places you can sell exploits other than OCGs. At the more legitimate end of that market is people like ZDI who will then collaborate with the vendors (after a time), or companies making exploit kits/tooling for pentesters/red teaming. More questionable ones are companies that make things like forensics tools or spyware who are legal, but perhaps ethically dubious. All completely legal, but not great for the wider community if they're getting the vulns rather than the developers.
If you're trying to protect your own website and servers, those markets won't be a concern for you. If you ship a widely used product that's an attractive target (like web browser, mobile device, network kit, etc) then they definitely are.
You don't sell it to the "Russian mob", you sell it to a highly reputable security company that will buy it for like $10 million or more and sell it to governments and stuff, not the mob.
I mean, seriously.
Why would I ever go find a 0 click rce bug and then just donate it to a trillion dollar company just to get a "thx" when I can just retire right then and there?
If so I could understand this (although there are certainly arguments to have had about it). But if they allow accounts without MFA then this would seem counterproductive, because while TOTP has issues it's a lot better than nothing.
Does this same argument not apply to other areas of music though? By that line of reasoning, should sites not also have to declare whether they used synthesisers rather than real instruments, or autotune for vocals, or all kinds of other things like that so that the listeners can make informed decisions?
I don't think any consumer would object to that. Typically the instrument thing is already handled in the "liner notes" (or the digital equivalent). It'd be nice to see a disclaimer for auto-tune as well.
The interesting question would be how many products came in lower, but sadly the article doesn't include that.
If 23% were higher and 23% were lower then you could make a reasonable argument that it's just incompetence from the store.
But if 23% are higher and none are lower, then that looks a lot more like malice - because the odds of you happening to have a 23% error rate than just happens to always work out in the retailer's favour are basically zero.
reply