It’s $20k for all the vulns found in the sweep, not just that one.

And last security audit I paid for (on a smaller codebase than OpenBSD) was substantially more than $20k, so it’s cheaper than the going price for this quality of audit.

You don’t see the value of vulnerabilities as on the order of 20k USD?

When it’s a security researcher, HN says that’s a squalid amount. But when its a model, it’s exorbitant.

Denial of service isn’t worth that much generally, I think - you can’t use it to directly steal data or to install a payload for later exploitation. There are usually generic ways to mitigate denial of service as well - IP blocking and the like.

TCP packets triggered an OpenBSD kernel panic. True, that has mitigation. But it's interesting because it happened in a crucial part of well-reviewed code base.

There were more critical vulns in other projects, like FreeBSD RCE, or Linux privilege escalation.

If I understand you correctly, you're asking me if I would class this as a 20k USD (plus environmental and societal impact) bug? nope, I don't.

I've not said anything else than that I think this specific bug isn't worth the attention it's getting, and that 20k USD would benefit the OpenBSD project (much) more through the foundation.

> When it’s a security researcher, HN says that’s a squalid amount. But when its a model, it’s exorbitant.

Not sure why you're projecting this onto me, for the project in question $20k is _a_lot_. The target fundraising goal for 2025 was $400k, 5% of that goes a very long way (and yes, this includes OpenSSH).

> you're asking me if I would class this as a 20k USD (plus environmental and societal impact) bug?

Not this bug in particular as a single bug bounty, but as an entire codebase audit that exposed multiple bugs? Sure.

20,000 is the most this will ever cost.