Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google To Pay $500 For Bugs Found In Chromium

ScuttleMonkey posted more than 4 years ago | from the rewards-for-being-1337 dept.

Google 175

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

cancel ×

175 comments

Sorry! There are no comments related to the filter you selected.

No adblock plus (3, Funny)

sakdoctor (1087155) | more than 4 years ago | (#30954612)

$500 please

But it has AdThwart (3, Insightful)

tepples (727027) | more than 4 years ago | (#30954770)

Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart [google.com] . Even if the titles aren't the same across platforms, they still do roughly the same thing.

Re:But it has AdThwart (2, Informative)

Anonymous Coward | more than 4 years ago | (#30954876)

AdThwart only hides the ads; it doesn't block them. Third party ads/ad servers are a common source of security breaches. His point has validity.

I wouldn't hold my breath for the money, though.

Re:But it has AdThwart (4, Informative)

iammani (1392285) | more than 4 years ago | (#30954920)

they still do roughly the same thing.

No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

Re:But it has AdThwart (3, Insightful)

maxwell demon (590494) | more than 4 years ago | (#30955170)

Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).

Re:But it has AdThwart (1)

hedwards (940851) | more than 4 years ago | (#30955454)

True, but it's still more than a little bit irresponsible. Google isn't exactly the most responsible company out there, how long has it been that they've been running silent updates over an unencrypted connection without asking for permission? Feel free to correct me if they've changed that policy, but it's only been in the last couple weeks that gmail defaulted to using SSL.

Re:But it has AdThwart (3, Informative)

iammani (1392285) | more than 4 years ago | (#30955594)

Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.

Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.

So it not that google is doing us a favor. Its just that it does not have any other options.

Re:But it has AdThwart (1)

iammani (1392285) | more than 4 years ago | (#30955624)

er: s/not disallow/disallow

Looks like I need more coffee!

Google (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30954630)

The Next Microsoft. A low-level employee of Google farts, and it gets reported here on Slashdot as Important News. Yay! Keep sucking their cocks with free publicity guys, maybe you'll be rewarded with a protein shake!

$1337 - killer reward. (0, Offtopic)

unity100 (970058) | more than 4 years ago | (#30954656)

if you read it properly of course.

Re:$1337 - killer reward. (1)

Dogtanian (588974) | more than 4 years ago | (#30955518)

if you read it properly of course.

"Sleet"? Well, I guess the soggy snow we got in the week before Christmas was lethally slippy once the thaw/refreeze turned it into sheet ice...

Anway, given that Google is normally good at flattering geeks, the 1337 reference is (a) way too obvious and (b) way too five years ago (when was the last time you heard anyone use 1337-5p34k in a non-ironic sense?)

They could at least have made the reward some power of two (though they might have been accused of ripping off Donald Knuth, since IIRC he did that first) or something related to e or pi. Dropped the ball there...

Perhaps they'll donate $318008 to the person who finds the Playboy centrefold Easter egg? ;-)

Re:$1337 - killer reward. (1)

unity100 (970058) | more than 4 years ago | (#30956006)

SO what ?

what if it was too obvious and it was 5 years ago. its still 1337. its still leet.

this isnt a women's shoe or fashion piece.

Re:$1337 - killer reward. (2, Informative)

Dogtanian (588974) | more than 4 years ago | (#30956230)

SO what ? what if it was too obvious

Because Google tend to do things that genuinely appeal and pander to geeks' intellects and identity (and demonstrate that they understand them).

Using the word "1337" like that is the kind of stereotypical thing someone *trying* to give the appearance of geek-friendliness and cool- who is themselves quite out of touch- would do. It's cheesy and tacky and...

and it was 5 years ago

Yeah, well you never see anyone using it now. And like it or not, geeks *do* follow fads.

If you want a rationalisation of that, a few years back, only message-board geeks knew what "1337" meant; anyone using it demonstrated that they probably were a geek, or at least understood those people. Then 1337-5p34k got more popular, then it started appearing in magazine articles explaining what those strange symbols your children typing were. At this point, anyone "knew" what 1337 meant, and could fake geek cred by using the expression. Oddly, it was also at this point (circa 2006 or so) that genuine 13375p34k dropped off the face of the earth, almost certainly because any obfuscating purpose and in-group identification had been killed off. Like any fashion.

And like it or not, geeks do follow fashions (for the sake of fashion), just not necessarily mainstream-style ones.

Re:$1337 - killer reward. (2, Funny)

element-o.p. (939033) | more than 4 years ago | (#30956258)

Tell you what...if 1337 is too "five years ago" for you, feel free to donate the reward to me if you win it ;)

Nice idea, but limited scope (5, Informative)

girlintraining (1395911) | more than 4 years ago | (#30954682)

They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

Re:Nice idea, but limited scope (4, Informative)

tepples (727027) | more than 4 years ago | (#30954792)

They have to decide it's a critical bug, and it must be a single bug.

From the article: "any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope (5, Informative)

girlintraining (1395911) | more than 4 years ago | (#30954944)

From the article: "any clever vulnerability at any severity might get a reward."

"We will typically focus on High and Critical impact bugs, but" ...

Re:Nice idea, but limited scope (0)

Chees0rz (1194661) | more than 4 years ago | (#30955048)

From the article: "any clever vulnerability at any severity might get a reward."

"We will typically focus on High and Critical impact bugs, but" ...

If you're going to quote out of context, perhaps you should remove the "but" so it isn't obvious. I have no idea what comes after the but... BUT I assume it makes your statement that ONLY critical/single bugs are rewarded, false.

Re:Nice idea, but limited scope (3, Informative)

Your.Master (1088569) | more than 4 years ago | (#30955184)

You've got it backwards. She was providing context, not removing it. The original full quote was:

"We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope (0, Redundant)

causality (777677) | more than 4 years ago | (#30955374)

You've got it backwards. She was providing context, not removing it. The original full quote was:

"We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."

Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.

Re:Nice idea, but limited scope (1)

girlintraining (1395911) | more than 4 years ago | (#30955640)

Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.

I agree with everything you said, except 800ms is a bit short. I would say about 20 seconds, if you include the time to backtrack to the main page, click the link, wait for the website to load, and skim it for the relevant quote (which is the first question in the list). It could take up to a minute if they are slower readers -- we can't assume everyone reads as fast as we do.

Still, moderators should read the article before using their points if they're going to mod articles that reference the article's content. Now if it's just "First post!" or "ch34p v!4gr4" posts, then by all means... :\

Re:Nice idea, but limited scope (1)

causality (777677) | more than 4 years ago | (#30955772)

Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.

I agree with everything you said, except 800ms is a bit short. I would say about 20 seconds, if you include the time to backtrack to the main page, click the link, wait for the website to load, and skim it for the relevant quote (which is the first question in the list). It could take up to a minute if they are slower readers -- we can't assume everyone reads as fast as we do.

Still, moderators should read the article before using their points if they're going to mod articles that reference the article's content. Now if it's just "First post!" or "ch34p v!4gr4" posts, then by all means... :\

It was immediately obvious to me that you were providing context. I have not read the article and it was not necessary for me to do so in order to know your intent. If anything, 800ms is generous but it accounts for people who are slow readers.

Re:Nice idea, but limited scope (2, Insightful)

causality (777677) | more than 4 years ago | (#30956026)

I will add one thing... the time necessary is really academic. Moderation is a simple, easy-to-handle matter and the way to do that job is to actually know something about the post that you are modding, usually by reading it, perhaps by cross-referencing it. I immediately knew your intent, but if I didn't, then I could go through a very slightly longer process of referencing the article, which would remove all doubt. So again this is just carelessness on the part of people who probably shouldn't have mod points in the first place.

This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.

Re:Nice idea, but limited scope (1)

tepples (727027) | more than 4 years ago | (#30955942)

Ideally, if bug A allows bug B to result in a compromise, bug A gets upgraded to high impact.

Re:Nice idea, but limited scope (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#30955202)

$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.

Re:Nice idea, but limited scope (1)

Applekid (993327) | more than 4 years ago | (#30955336)

Sounds low if it were, say, for IE or Firefox flaws. Chrome is still less than 5% of the browser market (from Jul - Dec 2009 according to StatOwl) and suffers (or, rather, benefits) from the Mac effect in resisting the actual exploitation of discoveries.

Re:Nice idea, but limited scope (1)

StikyPad (445176) | more than 4 years ago | (#30955434)

Regardless of the motivation, I'm not so sure it's a good idea to essentially add value to the black market for security exploits while simultaneously providing an inventive for contributors to add security bugs. They're really just raising the floor value of any given exploit to $500. Now if they were to offer a reward in excess of the level required to remain profitable through the exploitation of security holes (and it's anyone's guess what that value might be) then that might have some effect, but of course it would also increase the incentive for insider shenanigans.

Re:Nice idea, but limited scope (1)

kangsterizer (1698322) | more than 4 years ago | (#30955460)

paying a company would cost them $15000 and they wouldn't be sure to get the bugs found.
researching for $500 sure isn't worth doing it, unless you just find one by luck. you might also attract teenagers who sometimes get access to private exploits to make a quick $500 legally.
finally, you get a publicity stunt saying you're so secure and all (but in fact, it's just that not enough people care about your product yet)

Re:Nice idea, but limited scope (1)

shadow_slicer (607649) | more than 4 years ago | (#30955528)

Ah, but if you're the criminal you can get paid twice:
1) find vulnerability
2) sell vulnerability to fraudsters ($$)
3) report vulnerability to google for $$
4) google patches vulnerability so fraudsters can't use it anymore
5) goto 1
6) profit!

Re:Nice idea, but limited scope (5, Funny)

sys.stdout.write (1551563) | more than 4 years ago | (#30955692)

5) goto 1
6) profit!

You're probably going to want to keep the profit within the scope of the loop...

Re:Nice idea, but limited scope (2, Funny)

jopsen (885607) | more than 4 years ago | (#30956104)

5) goto 1 6) profit!

You're probably going to want to keep the profit within the scope of the loop...

Nope... The loop is correct crime never pays off... :)

Re:Nice idea, but limited scope (1)

JelloJoe (977764) | more than 4 years ago | (#30955608)

How many times do i need to say this. Chromium != Chrome

Wow. (0)

Anonymous Coward | more than 4 years ago | (#30954710)

This is going to decrease the signal to noise ratio of bug reports.

Dilbert (4, Funny)

fatherjoecode (1725040) | more than 4 years ago | (#30954724)

Time for Ratbert to do his dance on the keyboard.

Re:Dilbert (0)

Anonymous Coward | more than 4 years ago | (#30955018)

Sorry Ratbert. You just authored a web browser.

Here's an idea! (1, Interesting)

rehtonAesoohC (954490) | more than 4 years ago | (#30954778)

What they should really do is up the dollar amount by a small margin every time someone finds a bug and is rewarded - maybe on a logarithmic curve?

The idea being that once more and more bugs are discovered, the number of bugs left to discover will diminish, and people will have less incentive to find bugs, even though major flaws may still exist in some form. So the one person who finds the whopper of a bug five years from now could get $100,000...

Feature creep keeps testers in business (2, Informative)

tepples (727027) | more than 4 years ago | (#30954840)

If Google adds new compelling features to Chrome, these will more than likely have new defects. If not, the browser will stagnate compared to Opera and Firefox.

Re:Here's an idea! (3, Insightful)

Anonymous Coward | more than 4 years ago | (#30954852)

If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.

Re:Here's an idea! (2, Informative)

martin-boundary (547041) | more than 4 years ago | (#30955074)

What is it with people and logarithms? You're posting on slashdot, you should know better!

The logarithm grows very *slowly*:

log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9

For all practial purposes, you can think of a logarithmic curve as constant.

What you're talking about is an *exponential* curve. Here's the exponential:

exp(5) = 148.4
exp(10) = 22026
exp(100) = 26881171418161354484126255515800135873611118
exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\
63850782441193474978076563026889930963817987520226935982981730544612\
89923262783660152825232320535169584566756192271567602788071422466826\
31400685516850865349794166031604536781793809290529972858013286994585\
64702865343759004565643555891562204223202605188261122886383583722487\
24725214506150418881937494100871264232248436315760560377439930623959\
705844189509050047074217568

Re:Here's an idea! (1, Funny)

Anonymous Coward | more than 4 years ago | (#30955258)

exp(1000) =
19700711140170469938888793522433231253169379853238457899528029913850\

63850782441193474978076563026889930963817987520226935982981730544612\

89923262783660152825232320535169584566756192271567602788071422466826\

31400685516850865349794166031604536781793809290529972858013286994585\

64702865343759004565643555891562204223202605188261122886383583722487\

24725214506150418881937494100871264232248436315760560377439930623959\

705844189509050047074217568

Given all of those division signs, isn't this a really small number?! :P

Re:Here's an idea! (1)

maxwell demon (590494) | more than 4 years ago | (#30955326)

I don't see a division sign. Division signs look like this: /
But yes, it's still a small number, compared with a googolplex.

Egad! (0)

Anonymous Coward | more than 4 years ago | (#30955560)

God, I hope you're not a developer of life-dependant software.

A mental image is worth 10^3 words. (0)

Anonymous Coward | more than 4 years ago | (#30955428)

What is it with people and logarithms? You're posting on slashdot, you should know better!

The logarithm grows very *slowly*:

log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9

Part of the problem may be that no-one looks at simple slide-rules [wikipedia.org] or other graphic representations of logarithmic scales any more. I'm no math genius, yet I was given a fancy slide-rule at age 10, figured out how to do a simple multiplication and division on it and formed a permanent mental impression of logarithms.

On the other side, seeing an exponential curve and understanding its implications also leaves one with a permanent mental reference image.

Re:A mental image is worth 10^3 words. (1)

martin-boundary (547041) | more than 4 years ago | (#30955544)

There's a nice/nontechnical introduction to the exponential in this streaming video talk [globalpublicmedia.com]

Re:Here's an idea! (1)

hedwards (940851) | more than 4 years ago | (#30955516)

That's the point, an exponential payout would encompass all of Google's future profits within the year. Whereas the logarithmic increase would be a tiny incremental increase each time an exploit was turned in.

Re:Here's an idea! (1)

martin-boundary (547041) | more than 4 years ago | (#30956108)

A logarithmic increase for each extra bug would not be any incentive at all, and would not work the way the OP claimed it would:

So the one person who finds the whopper of a bug five years from now could get $100,000...

Re:Here's an idea! (0)

Anonymous Coward | more than 4 years ago | (#30955458)

The idea being that once more and more bugs are discovered, the number of bugs left to discover will diminish

That hypothesis only holds true if the source code to Chromium is never updated. Ever. For any reason.

$25,750,000,000!!! (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30954790)

So If I'm on Chromium right now...
Awesome [google.ca] Averaging 1 bug per picture (some with multiple, some without), at 500 dollars each...

I'll take my 25 Billion billion please. Keep the change.

Re:$25,750,000,000!!! (3, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#30954828)

I wrote Billion twice? Clearly the amount amount is staggering staggering.

Re:$25,750,000,000!!! (0)

Anonymous Coward | more than 4 years ago | (#30955064)

Billy-uns and billy-uns and billy-uns......

If Microsoft did this for Windows... (1)

jgagnon (1663075) | more than 4 years ago | (#30954822)

They'd have a 100% market share and be out of business. :p

Re:If Microsoft did this for Windows... (1)

Icegryphon (715550) | more than 4 years ago | (#30955802)

That is assuming they would fix those bugs,
instead of filing them under: don't care.

dilbert (0)

Anonymous Coward | more than 4 years ago | (#30954942)

Heh.. Reminds me of the Dilbert strip where the company starts offering developers bonuses for fixing bugs. Pretty soon lots of bugs start appearing, and developers suddenly start fixing lots of them.

Re:dilbert (5, Funny)

Brian Gordon (987471) | more than 4 years ago | (#30955148)

Found it for you [dilbert.com] .

Re:dilbert (1)

moonbender (547943) | more than 4 years ago | (#30955520)

Hey, I didn't know about /fast. That's pretty cool, thanks.

Re:dilbert (1)

DebianDog (472284) | more than 4 years ago | (#30955522)

Thank you!!!! This is EXACTLY the first thing I thought of.

Why tell when you can exploit? (0, Troll)

2obvious4u (871996) | more than 4 years ago | (#30954996)

Why claim a $500 reward when you can exploit and steal more?

Re:Why tell when you can exploit? (3, Insightful)

TheRaven64 (641858) | more than 4 years ago | (#30955070)

Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...

Re:Why tell when you can exploit? (2, Informative)

BZ (40346) | more than 4 years ago | (#30955440)

The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.

Re:Why tell when you can exploit? (4, Insightful)

tomhudson (43916) | more than 4 years ago | (#30955090)

Why claim a $500 reward when you can exploit and steal more?

In Soviet Russia, spammer rewards YOU!

I'll take exploits for $500, Alex.
Sorry, the Russian Business Network is paying $5000.

Re:Why tell when you can exploit? (0)

Anonymous Coward | more than 4 years ago | (#30955582)

So where is this market with Russian business men and how easily accessible is it?

Re:Why tell when you can exploit? (1)

tomhudson (43916) | more than 4 years ago | (#30955726)

So where is this market with Russian business men and how easily accessible is it?

In Soviet Russia, businessman access YOU!

Seriously? Just search the chat rooms, or follow the links from any of the spam software you get, and you'll find a buyer. Look for sites that search engines say "This site has malware" etc., and you'll find a buyer.

Re:Why tell when you can exploit? (3, Insightful)

matzahboy (1656011) | more than 4 years ago | (#30955098)

Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.

What exactly is illegal about it? (1)

SmallFurryCreature (593017) | more than 4 years ago | (#30955822)

People keep saying this, but it ain't illegal at all. Show me the law.

Re:Why tell when you can exploit? (1)

Internalist (928097) | more than 4 years ago | (#30955694)

What?!? Because you have morals. The incentives are of course there for honest people, not thieves and scoundrels. That is, honest people who care about securing/protecting their own systems & privacy, and/or that of others (sometimes people like to help other people).

Presumably the hope is that incentivizing things this way will make the morally-upright people have a go at finding the bugs...ideally *before* the nefarious crowd swoops in...

This is the future of IT. (0)

Anonymous Coward | more than 4 years ago | (#30955028)

Get paid $500 a year for the one bounty you hit before the hordes of others get it.

What about when the bugs are "features"? (2, Interesting)

Daetrin (576516) | more than 4 years ago | (#30955124)

I just talked about this in the other Chrome article, [slashdot.org] but all the bugs i'd like to report they claim to be features.

Even though they say they know it causes problems [chromium.org] they'd rather continue to have a browser with issues rather than implement proven solutions that other browsers have come up with because they have aesthetic issues with those solutions.

I really don't appreciate them making the product less useful to me because they don't like the solutions other people have come up with but can't think of anything better themselves. In my mind that counts as a bug, but that's not a definition they're going to accept.

google just does everything different (4, Interesting)

Lord Ender (156273) | more than 4 years ago | (#30955146)

Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).

Google? Google pays them cold, hard cash.

I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).

Re:google just does everything different (1)

maxwell demon (590494) | more than 4 years ago | (#30955386)

It's like they're reading Slashdot and doing everything we say!

Let's try: Google, please give me a billion dollars.
OK, I said it on Slashdot. Let's see it it works.

Re:google just does everything different (1)

Lord Ender (156273) | more than 4 years ago | (#30955462)

Sorry, but Sergey Brin browses at +5. The mods will need to show you some love if you want any chance at that...

Re:google just does everything different (1)

hedwards (940851) | more than 4 years ago | (#30955576)

I think you have to include your full name, SSN, bank account number and address. How else are they supposed to get the money to you?

Re:google just does everything different (1)

maxwell demon (590494) | more than 4 years ago | (#30955872)

They are Google. They are supposed to find that information. :-)
(BTW, what would they need my SSN for?)

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30956216)

Thank you for posting on Slashdot.
We are now processing your cheque for $1,000,000,000.
Paid to the order of: maxwell_demon

Address:
PO Box 590494
Friday, January 29, @04:31
PM, 30955

Re:google just does everything different (1)

bill_mcgonigle (4333) | more than 4 years ago | (#30955456)

I swear, it seems Google bucks every bad trend in the software/IT industry.

Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com] . Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

Re:google just does everything different (3, Informative)

Lord Ender (156273) | more than 4 years ago | (#30955530)

but Chromium isn't open source

Bzzzzt!

"Chromium is the open-source project behind Google Chrome."

http://code.google.com/chromium/ [google.com]

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30956062)

I wish I could mod you down just because of that Bzzzzzzt! crap.

It's fucking annoying.

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30956142)

yeah it is as if someone is shooting Bzzzzzzt! very close to my ears. I hope no one else says Bzzzzzzt!, because Bzzzzzzt! is so annoying. Bzzzzzzt!

Not applicable. (0)

Anonymous Coward | more than 4 years ago | (#30956032)

These don't really apply as:
1) this isn't a 'contest' but a reward for reporting flaws
2) they are doing this to find/fix flaws, not demonstrate how 'uncrackable' they are

This, to me, seems the right way to do things:
1) show your code
2) ask people to look at it
3) provide incentive for finding/reporting flaws
4) fix these flaws.

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30956098)

I swear, it seems Google bucks every bad trend in the software/IT industry.

Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com] . Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

Good old Bruce was writing about cracking contests.
The way TFS is phrased, it doesn't sound like Google will at any point claim "we're secure, because we paid for security bugs."
It sounds more like "we'd like to be secure. Probably we messed up somewhere. We'll try to find it ourselves, but if you help us out, we'll say thanks and get you a beer."

Bruce's rant was against companies who'd say something like "Chromium is the most secure browser ever. We are so convinced, we will actually pay for security bugs found in our code." Google's statement sounded quite different to me.

Re:google just does everything different (3, Interesting)

ThrowAwaySociety (1351793) | more than 4 years ago | (#30956122)

I swear, it seems Google bucks every bad trend in the software/IT industry.

Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com] . Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30955638)

Hmm, use it for something harmfull . . . Like that Raytheon commercial for American Cyber-warfare experts (Ad provided by Google) that keeps showing up when I check out /.? Define harmful, and to whom, please.

Re:google just does everything different (4, Informative)

Lord Ender (156273) | more than 4 years ago | (#30955816)

Define harmful

Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.

Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.

As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.

Re:google just does everything different (0)

Anonymous Coward | more than 4 years ago | (#30955922)

The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case, for now anyway).

FTFY

Direct deposit plz (1)

deglr6328 (150198) | more than 4 years ago | (#30955192)

here you go [ebayimg.com] . I can haz monies nao plz? kthxbye.

I know a bug (0)

Anonymous Coward | more than 4 years ago | (#30955308)

There's something causing facebook and twitter icons on my slashdot.

Not worth it (0)

Anonymous Coward | more than 4 years ago | (#30955402)

People are willing to pay $10 000 for such bugs.

So.. let's say, the evil google pays you $500..
The evil chinese pays you $10 000

easy choice i say. in fact, researching a critical vulnerability for $500 on such a big project (= its audited so the search is hard), certainly is a waste of your time.

$500573 (1)

El_Muerte_TDS (592157) | more than 4 years ago | (#30955502)

And $500573 for a serious security bug?

Re:$500573 (1)

EkriirkE (1075937) | more than 4 years ago | (#30955742)

SOOSTE? or did you mean 600613

Re:$500573 (1)

2obvious4u (871996) | more than 4 years ago | (#30955900)

55378008

Find a bug, win a Bug? (1)

sfjohnson (102001) | more than 4 years ago | (#30955572)

Reminds me of the "Find a bug, win a Bug" promotion from Hunter & Ready Systems in the 1980s for their real-time operating system kernel.
Never met anyone who won a Volkswagen, though...
Google: Want to pony (or beetle) up?

Chrome phone home (0)

Anonymous Coward | more than 4 years ago | (#30955722)

* release software that "phone home"
* pay people to report security flaws
* ?
* !profit

Nothing like old-school incentives... (1)

geekmux (1040042) | more than 4 years ago | (#30955826)

...you know, the kind of incentives that pre-date crap like stock options in lieu of a pay raise...

Ah yes, let's all shiver from the crisp air whipping from a stack of cold hard cash. I like it.

Not so new (1)

orient (535927) | more than 4 years ago | (#30955864)

"Today, we are introducing an experimental new incentive for external researchers to participate."

D. J. Bernstein did the same thing in 1997, offering a reward for finding bugs in qmail: http://cr.yp.to/qmail/guarantee.html [cr.yp.to]

Re:Not so new (1)

MichaelSmith (789609) | more than 4 years ago | (#30955898)

Its a bit different because DJB truly believed there were no bugs. That was just advertising.

So much for Do No Evil! (0)

Anonymous Coward | more than 4 years ago | (#30956052)

Wait, do we love Appl-- oops I mean -- Google or hate 'em today?

Google catches up to Netscape? (2, Informative)

vocatan (1374285) | more than 4 years ago | (#30956260)

Netscape used to offer a "bug Bounty" for issues reported -- xref article "BUGS BOUNTY By Philip Elmer-DeWitt Monday, Oct. 23, 1995 " http://www.time.com/time/magazine/article/0,9171,983604,00.html [time.com] "[...]Netscape last week began offering cash awards to anybody who can find a security hole in the beta, or test, version of its latest browser software. Under the so-called Bugs Bounty program, the first person to identify a "significant" security flaw wins $1,000. Lesser bugs earn smaller prizes ranging from $40 sweatshirts to $12 coffee mugs. The idea, explains a company spokesperson, is to get hackers to hack when it will do the Netscape some good--before the product is officially released.[...]" So - given inflation, does this mean that the value of a bug has gone down over time - or was Netscape just paying way above market value? :D

What would Microsoft do? (0)

Anonymous Coward | more than 4 years ago | (#30956410)

I wonder what Microsoft would offer as a "bounty" for finding bugs in IE?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>