Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Broadens Bug Bounties To Include Web App Security

Soulskill posted more than 3 years ago | from the invitation-to-break-stuff dept.

Google 50

n0-0p writes "Google just announced they will pay between $500 and $3133.70 for security bugs found in any of their web services, such as Search, YouTube, and Gmail. This appears to be an expansion of the program they already had in place for Chrome security bugs. 'We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.' The rules and qualification details were posted today at the Google Online Security Blog."

cancel ×

50 comments

Sorry! There are no comments related to the filter you selected.

Apparently (1, Funny)

imamac (1083405) | more than 3 years ago | (#34096624)

Apparently, the Chrome program of this worked well.

Re:Apparently (0)

Anonymous Coward | more than 3 years ago | (#34096972)

Yea this is what happens when proprietary businesses want the benefits of open source. Poor substandard work from sympathizers that couldn't see a problem with google if it hit them in the face.

Meanwhile, real specialists are making actual money through SEO scams and other fun things to do with google.

Ain't the first, ain't the last (1)

Musically_ut (1054312) | more than 3 years ago | (#34096644)

Google: Keeping the Knuth tradition in CS alive!

Rejoice!

Re:Ain't the first, ain't the last (0)

Anonymous Coward | more than 3 years ago | (#34096754)

perpetually beta? half-assed products?

Re:Ain't the first, ain't the last (0)

Anonymous Coward | more than 3 years ago | (#34097852)

Knuth offered $1 for each typo in his textbooks. This was back when $1 was worth, well, $1.

Re:Ain't the first, ain't the last (2, Informative)

johny42 (1087173) | more than 3 years ago | (#34098674)

Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

Re:Ain't the first, ain't the last (1)

DragonWriter (970822) | more than 3 years ago | (#34102394)

Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

1 in hexadecimal is the same as 1 in decimal. 1 dollar (decimal) is the same as 1 dollar (hex).

Now, 100 (hexadecimal) cents is the same as 256 (decimal) cents, which is probably what you mean.

1 dollar (decimal or hexadecimal) = 100 (decimal) cents

Re:Ain't the first, ain't the last (1)

johny42 (1087173) | more than 3 years ago | (#34147342)

A hexadecimal dollar is 100 hexadecimal = 256 decimal cents. There's a semantic difference in "1 (hexadecimal dollar)" (Knuth's version) vs "(1 hexadecimal) dollar" (your version).

See Donald Knuth's FAQ [stanford.edu] .

Also, it's a joke, so there's probably no point in arguing technicalities.

Does this imply.... (2, Interesting)

santax (1541065) | more than 3 years ago | (#34096648)

I can actually 'test' the security of youtube/gmail and such and don't get a party-van in front of my house?

Re:Does this imply.... (4, Informative)

butalearner (1235200) | more than 3 years ago | (#34096670)

From TFA:

These categories of bugs are definitively excluded:

  • attacks against Google’s corporate infrastructure
  • social engineering and physical attacks
  • denial of service bugs
  • non-web application vulnerabilities, including vulnerabilities in client applications
  • SEO blackhat techniques
  • vulnerabilities in Google-branded websites hosted by third parties
  • bugs in technologies recently acquired by Google

Re:Does this imply.... (3, Funny)

santax (1541065) | more than 3 years ago | (#34096696)

They are raining on my parade. *stops pinging to google.com*

only elite haxors need apply (0)

Anonymous Coward | more than 3 years ago | (#34096668)

I wonder how many 31337 bounties they're giving out.

Re:only elite haxors need apply (1)

icebike (68054) | more than 3 years ago | (#34097288)

Never mind how many, I'm still wondering about that number.

I'm sure there is a swoosh involved somewhere, but what is the significance of 3133.70?

Re:only elite haxors need apply (0)

Anonymous Coward | more than 3 years ago | (#34097316)

Elee.t
aka
Elite

Re:only elite haxors need apply (1)

Cwix (1671282) | more than 3 years ago | (#34097320)

31337 = eleet (elite)

LOLWUT (0)

Anonymous Coward | more than 3 years ago | (#34098272)

How the fuck does a 5 digit UID not know what 31337 is???

Re:LOLWUT (2, Funny)

icebike (68054) | more than 3 years ago | (#34098330)

Too old to pay much attention to kiddies I guess.

Re:only elite haxors need apply (1)

GameboyRMH (1153867) | more than 3 years ago | (#34099728)

Hand over your geek card, that's a 3-month suspension.

I wonder... (0)

Anonymous Coward | more than 3 years ago | (#34096692)

... if you have to be hax0r to snag bugs in the $3133.70 range. Bada bing, bada boom.

Found some! (1)

Anne_Nonymous (313852) | more than 3 years ago | (#34096762)

>> they will pay between $500 and $3133.70 for security bugs found in any of their web services,

I just found "About 7,690,000 results (0.33 seconds)" for security bugs in one of their services. Just go ahead and make that check out for an even bazillion and we'll call it good.

I wonder how the culture works on the other side. (1)

NBolander (1833804) | more than 3 years ago | (#34096862)

Does the responsible coder buy his department a cake, a case of beer or is he/she given a stern talking to.

This is such a smart move... (1)

Rooked_One (591287) | more than 3 years ago | (#34096884)

In the end, they will be able to claim "If there were bugs, we paid you to find them, and you did... Lots of them. And because of that our browser is the best."

Just wait for it.

Re:This is such a smart move... (0)

Anonymous Coward | more than 3 years ago | (#34097174)

Why would we want to help secure a spyware OS and spyware browser anyways? So that the software you choose to run that compromises your system doesn't get compromised itself?

Re:This is such a smart move... (1)

Rooked_One (591287) | more than 3 years ago | (#34098546)

Never said I used chrome - just saying what google will say down the road. ;)

Re:This is such a smart move... (0)

Anonymous Coward | more than 3 years ago | (#34099006)

This is a strategic move to keep Microsoft out of the mobile arena.
A better, less buggy more secure product is a trump marketing point, worth lots.
The serious top end mobile business market - demands, and pays for a safe experience

Every phone is going to need an operating system, browser and apps.
Eventually will come the point 'ours is secure' AND modern for a whole safer experience. The Apple .pdf file trick shows how quickly deadly impressions can be made.

So nice of MS to roll on back and give Google all the money.

Bug economy (4, Interesting)

Caerdwyn (829058) | more than 3 years ago | (#34096922)

A story from the past...

A Former Employer Who Shall Not Be Named had a product about to go golden-master, and wanted every employee in the company to participate in the final round of testing. Then the pointy-haired bosses got an idea! During the last round of testing, they put up a bounty of twenty dollars for each P3, fifty dollars for each P2, and a hundred dollars for each P1 bug found. However, the pointy-hairs decreed QA and Dev were excluded, and in the same breath decreed that QA and Dev would be working overtime.

An underground economy of bugs immediately sprang up. QA guys would find bugs and quietly share them with tech support/sales engineers/etc. Devs would notice (and it was whispered, though never proven, create) bugs and quietly share them with IT. And the proceeds would be split between the ineligible employees and the eligible.

Over fifty thousand in bounties were paid. Then the pointy-hairs got wind of what was going on.

And that was the end of that.

Irrelevant to the story at hand, though, I'm quite sure...

Re:Bug economy (1)

Christopher Fritz (1550669) | more than 3 years ago | (#34097056)

Seems CVS or similar would counter purposely creating bugs, unless someone's going to modify the history tree, and any older copies of the source code sitting around.

Am I missing any openings where "insert bugs" can still fill "???" and lead to "PROFIT!"? Maybe putting a bug in on purpose, and letting it sit around for a month before reporting it?

Re:Bug economy (0)

Anonymous Coward | more than 3 years ago | (#34098068)

Finally the Meme has been resolved.

1. "Enhance" the testbench or change the random seed.
2. Collude with your peers.
3. Profit.

Re:Bug economy (1)

SheeEttin (899897) | more than 3 years ago | (#34097998)

Hmm. I wonder if offering a non-monetary reward (e.g. baked goods) or a simple fiat "high score" would be an improvement on that.
Though one must always watch for people gaming the system, or becoming too fixated on the reward, when it's the bug-fixing that's the important part.
Perhaps only reward during specified "bugfix drives", and disqualify/discipline/fire anyone found to be inserting bugs just to be the one to fix them?

Re:Bug economy (1)

Caerdwyn (829058) | more than 3 years ago | (#34105206)

As far as I know (this was about 6 months before my time at That Company, and was the subject of hallway lore, which is how I learned of it), it was never proven that buggy code was being deliberately checked in. What WAS certainly going on was that people who were in a position to know about bugs but were bounty-ineligible were sharing that knowledge with people who were bounty-eligible. The bugs were found and fixed, the product wasn't hurt, but the bounty system was thoroughly gamed by people who were excluded and heavily-worked.

Time period: 1993.

Hey Google. (-1, Flamebait)

UncHellMatt (790153) | more than 3 years ago | (#34097070)

How about you just pay taxes, and stop ratting people out to the Chinese government. Any bugs in your software will be a lot more readily forgiven.

$3133.70? (0)

Anonymous Coward | more than 3 years ago | (#34097172)

Does everyone mean $1337 or do I need to stop drinking?

Re:$3133.70? (0)

Anonymous Coward | more than 3 years ago | (#34097272)

elite -> eleet -> 31337 and to avoid paying $31k every time a bug comes in, shift right once to 3133.70

Stop drinking, your liver will thank you, if it survives.

BFD (3, Funny)

thenextstevejobs (1586847) | more than 3 years ago | (#34097206)

I will offer 20 times the bounty to anyone who finds similar exploits in my products.

Oh, what's that, you can't find any?

Security through obscurity wins again.

Re:BFD (1)

SirThe (1927532) | more than 3 years ago | (#34098096)

Security through obscurity wins again.

Everyone knows that works so well for Microsoft.

Re:BFD (1)

merkki (1870268) | more than 3 years ago | (#34098988)

I get what you mean, but, how is Microsoft obscure?

Re:BFD (0)

Anonymous Coward | more than 3 years ago | (#34101330)

Critical Service Vulnerability: Product not available.

There is a critical vulnerability in all products under test. None of them are available for use and therefore are incapable of providing service.

When can I expect the check?

Google Being Cheap (0)

Anonymous Coward | more than 3 years ago | (#34097260)

I don't understand why anyone who is attempting to exploit Google services in some way would ever turn over their bug report instead of try to sell the information on the "black market." It seems to me you'd get exponentially more money that way than a paltry $3K from being a good boy.

I'm not condoning such mercenary hacker tactics, but really, Google is being absurdly cheap here with their reward money. They would pay any real security analyst one-hundred times that amount for the same thing.

Re:Google Being Cheap (1)

JorDan Clock (664877) | more than 3 years ago | (#34097466)

What makes you think these exploits are worth more on the "black market?"

Re:Google Being Cheap (1)

GameboyRMH (1153867) | more than 3 years ago | (#34099794)

I would guess experience...because he's right.

Although not about the "exponentially" part. 3000^2=9 million. But yeah the black market price for any remote-exploitable bug starts higher than Google's biggest reward. And it's easier to get away with not paying taxes on the black market deal.

China (1)

C_Kode (102755) | more than 3 years ago | (#34097304)

China is paying $1,000 and $6267.40 for any security bugs found in any of Googles web services. ;)

IE? (2, Funny)

dudpixel (1429789) | more than 3 years ago | (#34097386)

waiting for microsoft to start one of these for Internet Explorer or Windows. Then I can retire :)

Re:IE? (1)

jcaldwel (935913) | more than 3 years ago | (#34104644)

Supposedly Verisign's iDefense [idefense.com] labs will pay for IE exploits. Have a great retirement.

How about Google starts listening to its forums? (1)

yourtallness (1183449) | more than 3 years ago | (#34098126)

Google, how about you solve some bugs/feature requests long overdue, for free (no bounty needed)? e.g. Word wrap for event titles in Google Calendar, lack of which has pissed off many a man?

What bugs get the eleet bounty? (1)

maxbash (1350115) | more than 3 years ago | (#34098200)

Wake me when the bounty is $ 9009.13

Re:What bugs get the eleet bounty? (0)

Anonymous Coward | more than 3 years ago | (#34099086)

Wake me when the bounty is $ 9009.13

900913 = Google

Oh yeah... I am so getting modded higher than the GP.

Re:What bugs get the eleet bounty? (1)

Shikaku (1129753) | more than 3 years ago | (#34099334)

It's OVER 9000!

caution nerd reference (0)

Anonymous Coward | more than 3 years ago | (#34098254)

you would need to be an elite hacker to pickup on the $3133.7 prize...

 

What? (0)

Anonymous Coward | more than 3 years ago | (#34099430)

No-one on slashdot mentioned or noticed the weird 313370 price?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>