Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Ups Bug Bounty To $20,000

Unknown Lamer posted more than 2 years ago | from the security-through-cash dept.

Google 53

Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features."

Sorry! There are no comments related to the filter you selected.

A failure of conventional hack-ism ? (2, Interesting)

Taco Cowboy (5327) | more than 2 years ago | (#39777749)

I am sure Google is employing many many very able programmers, but if Google has to pay bounty to hackers up to $20,000 to find bugs, does that mean the programmers who are sitting in Google's offices around the world have phailed?

Re:A failure of conventional hack-ism ? (5, Insightful)

mark-t (151149) | more than 2 years ago | (#39777789)

It probably means that they realize that they've come to a point in the project where crowdsourcing QA is more cost-effective than using internal QA. This isn't because their internal QA is incompetent, it's because they are only just so many.

Re:A failure of conventional hack-ism ? (-1)

Anonymous Coward | more than 2 years ago | (#39777929)

I would say it's because their internal QA is either incompetent, or just doesn't care.

If you don't believe me, take a look at their Gmail 'migration' tools. Tip of the iceberg.

-AC

Re:A failure of conventional hack-ism ? (-1)

Anonymous Coward | more than 2 years ago | (#39778371)

I hate black gangster bastards with their fat lips and shit colored faces. I wish they'd all stop trying to be something they're not. Niggers are closer to monkeys than white people. They belong either in a field picking cotton or in a zoo. And there's a sign that says, "Don't feed the nigger.. or give him drugs."

Ya know what else I hate? Indians.

I can't stand fat, drunk Native American bastards that take all our tax money and bitch that they're still being affected by their ancestors who died 200 years ago. "Boohoo, I'm 1/64 Chippawa and my great, great, great, great, great grandpa died of Small Pox because of you. Now give me $1000/month." Fuck no and fuck you. Whites won fair and square.

See, wars have winners and losers. White people went to war with Indians, and whites won. It's The United States of America now. Shut up and deal with it.

"Waa, boohoo, our heritage is being lost." Fuck that. Who gives a shit about heritage? Whites don't even care about their stupid heritage. It's all the same shit. Stop acting like you're special. You're a human like everybody else. A stupid, fat, lazy, primitive looking human, but a human none-the-less.

Ya know what else I hate? Gooks. Fucking chink bastards should be nuked.

Why couldn't the US have nuked Japan right off the map? I don't understand why they stopped at two cities. If you start a job, you might as well finish it.

Along the same lines, how come nobody stood up to take Hitler's place in eliminating the world of those whiney, greedy, kike bastards?

I hate every ethnicity. I think there should be a new Olympic sport where you put samples of every race into a field and they all get weapons and have to kill eachother. Then the the last team left standing wins a cheesy plastic medal, and then is quickly shot by riflemen and eaten by hungry white men with tobasco sauce and salsa.

Re:A failure of conventional hack-ism ? (-1)

Anonymous Coward | more than 2 years ago | (#39779895)

and when china launches its arsenal of nukes at you trailer-park welfare-boozing gun-whipped inbred redneck morons, the rest of the world will be happy because a smoldering radioactive crater will be far and away better than the festering moldy white shit that's currently stinking up parts of the US

See, wars have winners and losers.

and when china decides its time for the US to pay back its ridiculous debt, it can use your tongue to wipe its ass, and your tongue will smell like chink shit, you shit-smelling nigger-fucker

go back to sucking your gook momma's tits

Re:A failure of conventional hack-ism ? (-1)

Anonymous Coward | more than 2 years ago | (#39791959)

umad?

captcha: jellies

Re:A failure of conventional hack-ism ? (-1)

Anonymous Coward | more than 2 years ago | (#39781957)

Along the same lines, how come nobody stood up to take Hitler's place in eliminating the world of those whiney, greedy, kike bastards?

Sounds like somebody just volunteered. I look forward to seeing what you can do with your regime, while it lasts.

Re:A failure of conventional hack-ism ? (0)

Anonymous Coward | more than 2 years ago | (#39778877)

If you have ever asked anyone for any - even the slightest bit - of help when you're working on something you'd be able to understand something like this. At the least I'm assuming you don't pay the mortgage writing or testing software.

Re:A failure of conventional hack-ism ? (1)

jimicus (737525) | more than 2 years ago | (#39779847)

The GMail migration tools aren't so much poorly QA'd as poorly designed.

They're quite obviously written by developers, for developers, and so "generating a useful, informative error message in plain English" appears to have totally fallen by the wayside.

Re:A failure of conventional hack-ism ? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39777795)

the inference to be drawn is that finding a security hole would take more than 20k of programmer time, so probably the holes remaining are _hard_ to find. Seems more like a success than a failure to me.

Re:A failure of conventional hack-ism ? (3, Interesting)

AbRASiON (589899) | more than 2 years ago | (#39778155)

This 20k figure has very little to do with programmer time.

It has a LOT more to do with googles size and customer base. When you look at just how much data google has, just how many customers (paying as well, with Google Apps) 20k is absoloute pocket change to possibly convince someone malicious to instead fix the problem than exploit it.

Re:A failure of conventional hack-ism ? (3, Insightful)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39779065)

It's more likely that a bug would do more than $20,000 worth if damage.

Re:A failure of conventional hack-ism ? (1)

equex (747231) | more than 2 years ago | (#39781707)

Maybe not just one, but the one that proves fatal could be worth more than both reputation and money. And yeah, upping the ante like this shows the data from the previous program, proved that offering $20000 is optimal and is indeed not a fail.

Re:A failure of conventional hack-ism ? (1)

Forty Two Tenfold (1134125) | more than 2 years ago | (#39788997)

[... A] bug would do more than $20,000 worth when damage.

FTFY. (JK)

Re:A failure of conventional hack-ism ? (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39810035)

Hah. Ouch, I deserved that. :)

Have a good week, man.

Re:A failure of conventional hack-ism ? (1)

bloodhawk (813939) | more than 2 years ago | (#39779473)

20K is pretty well chump change when it comes to time. a professional security code auditor will charge you that for 2 weeks of work. If they do manage to get people collecting then they have found an incredibly cheap way to find security bugs.

Re:A failure of conventional hack-ism ? (4, Insightful)

Bucky24 (1943328) | more than 2 years ago | (#39777809)

I can see why you might think that, but I strongly suspect that Google has already put their own programmers to work finding bugs. This is their attempt to "crowdsource" the bug-finding. The more eyes on the code, the more bugs that can be found. Also they realize that not all the brilliant minds work for them, and some might decide to exploit a bug for monetary gain rather then turn it in. The bounty is to give those people a bit more of a reason to turn the bug in.

Re:A failure of conventional hack-ism ? (4, Interesting)

FSWKU (551325) | more than 2 years ago | (#39777823)

I am sure Google is employing many many very able programmers, but if Google has to pay bounty to hackers up to $20,000 to find bugs, does that mean the programmers who are sitting in Google's offices around the world have phailed?

Not necessarily. It just means that while they're confident in their code, they believe that it's always a good idea to have things vetted in the real world. The reasoning behind this is that the developers are often so close to the code that they can't possibly see EVERY conceivable bug or vulnerability. Inviting others to poke your products with a stick on a constant basis is a good thing. It lets Google get some good press, and also a MUCH more thorough real-world trial than they could do in house.

In a way, it's somewhat remniscent of the developers who worked on the flight software for the Space Shuttle computers [fastcompany.com] . Teams would actually compete to see who could find more bugs in the other team's code. This lead to some of the most robust and bug-free software ever written.

Re:A failure of conventional hack-ism ? (3, Insightful)

jhoegl (638955) | more than 2 years ago | (#39777829)

Nope, it means they are offering proper market value for bugs found in their systems and are confident enough to offer such high bounties for them.

If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

So, not only is Google saying "we are confident and proud of our product" they are also saying "we know there are bugs and even though we are confident in our products we are willing to pay out for people finding them".

Re:A failure of conventional hack-ism ? (3, Interesting)

lostchicken (226656) | more than 2 years ago | (#39778039)

I'd love to see a more vibrant market for this. The cost paid per bug (perhaps normalized by product revenue) would be a really useful measure of software reliability.

Re:A failure of conventional hack-ism ? (1)

jhoegl (638955) | more than 2 years ago | (#39778129)

I agree. It would also force companies to invest in proper security and proper QA practices to prevent these payouts.

Re:A failure of conventional hack-ism ? (1)

jeffmeden (135043) | more than 2 years ago | (#39778205)

I'd love to see a more vibrant market for this. The cost paid per bug (perhaps normalized by product revenue) would be a really useful measure of software reliability.

Interesting idea but for there to be a market there needs to be something liquid. You could say that only companies willing to have a (transparent) bug bounty program are running tight software ships but thats still not enough to convince everyone out there to start bounty programs. It's not about the net value of a bug in x program to x program's owner, it's the value of the time that random hackers have to devote to finding the bugs. The higher the price the harder it was to find (and theoretically the more secure the software is) but with that its going to take a lot of competition to drive the price up considering how infrequent the bounties are cashed in.

Re:A failure of conventional hack-ism ? (2)

Monkier (607445) | more than 2 years ago | (#39778123)

Which is a much better position than "Let's pretend there's no bugs, and hush up anyone who says there is". Nice one, Google...

Re:A failure of conventional hack-ism ? (0)

Anonymous Coward | more than 2 years ago | (#39778729)

Which is a much better position than "Let's pretend there's no bugs, and hush up anyone who says there is". Nice one, Google...

Google just said in that statement they have received thousands of reports and from them, they paid on hundreds of them, so that doesn't make sense.

Re:A failure of conventional hack-ism ? (1)

tudsworth (1919278) | more than 2 years ago | (#39781497)

Bogus reports; either in the form of some hack trying to grub money or somebody reporting a bug that wasn't a bug at all, perchance? Considering the amount of money on offer, I can see both being pretty goddamn prevalent.

Re:A failure of conventional hack-ism ? (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39778153)

What they're offering is still well below the $100,000 that a digital arms dealer like Vupen [forbes.com] charges for a year's subscription plan for exploits it discovers. And according to the Forbes article I linked to, some vulnerabilities individually cost several times more than that. It's so fucked up that NATO counties pay these security firms like Vupen, HB Gary Federal, etc. for exploits in the products of legitimate software companies for their use in cyberwarfare, espionage, and other nefarious shit. They'd rather leave everyone vulnerable, not even using the info they purchase to shore up their own government's systems lest the vulnerability become public and they lose the value of their purchase. If I were Google I'd save the bounty money and give it to their lawyers to create a tsunami of FOIA requests with every government they can to get the info about whatever exploits they have. Start a PR campaign letting the public know that their own government have knowledge that could help software companies make their products more secure for the computing public at large. Maybe if some influential people in the security field and tech firms complain loudly enough, something will change. I doubt it, but what hell else is there to do?

Re:A failure of conventional hack-ism ? (1)

Raenex (947668) | more than 2 years ago | (#39786999)

I like their entrepreneurial spirit:

Google security staffers responded by scolding Bekrar for disregarding users' privacy and called him an "ethically challenged opportunist."

Bekrar shrugs off the insults. "We don't work as hard as we do to help multibillion-dollar software companies make their code secure," he says. "If we wanted to volunteer, we'd help the homeless."

It is pretty hypocritical for somebody at Google to be challenging someone else for users' privacy.

Re:A failure of conventional hack-ism ? (2)

lucm (889690) | more than 2 years ago | (#39778659)

If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

Microsoft has a more cost-effective way to deal with bugs: the MVP, aka as "unpaid Level 1 support staff unleashed on forums and blogs that accept to do Microsoft's work in exchange for a title, a pin and a secret handshake instead of a salary". And when MVP cannot solve a problem or find a serious bug, they simply push them on Microsoft Connect and wait for a Service Pack or a hotfix, like the Common People.

Apple has a similar program (maybe even more brilliant) but only at the marketing level and they provide no formal title; the unpaid staff is informally called "fanbois" by those who know better, and they are convinced that promoting Apple products is a reward by itself so they don't need a pin or a logo.

Having been an MVP... (2)

Interfacer (560564) | more than 2 years ago | (#39781377)

I can tell you that it depends on which product group you are active in.
some teams like the C++ product group have (at least when I was an MVP) a very good relationship with their MVPs. this included getting developers to look at weird bugs, getting lots of interesting information, technical previews, etc. From my experience, the low level groups (SDK, DDK, C++) had a very active private community going with their MVPs.

For people interested in the product they were working with (C++ and SDK for me) being an MVP can be a rewarding experience, because you get a lot of technical inside information, people to talk with, an MSDN subscription, some free incidents with Microsoft support, etc.

Other (often the larger) product groups had virtually no real relationship with their MVPs, and some groups just treated them like unpaid 1st level support. Or in some cases they just plain ignored them. What it means to be an MVP and what you get out of it really depends entirely on your category and interest group. It can range from very good to very crappy.

Re:A failure of conventional hack-ism ? (1)

Raenex (947668) | more than 2 years ago | (#39787113)

If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

Patently ridiculous. Both Apple and Microsoft make billions of dollars per year in profits. They could pay $100,000 per bounty and only owe $100 million for 1,000 security bugs.

Re:A failure of conventional hack-ism ? (0)

Anonymous Coward | more than 2 years ago | (#39779965)

Google does have their own security team. Unfortunately most of them are only capable of finding bugs in Windows software, like the Tavis Ormandy asshole.

Re:A failure of conventional hack-ism ? (1)

jimbolauski (882977) | more than 2 years ago | (#39781879)

Lets look at this from an economical point, if Google pays it's programmers 60-80k to find bugs in it's software with benefits and other overhead costs included that employee costs 150-240k a year that's 8-12 bugs a year for the employee to be cost effective.

mmm (0)

Anonymous Coward | more than 2 years ago | (#39777803)

How does this work, then?

Do people look at this and say, "Wow, when it was $2k I wasn't interested, but now it's $20k I'll spend days of my life looking through Google code in the hope of finding a bug!"

Or is this a way of enticing black hats to come clean?

Bounty hunting makes sense when there's a lot to catch, as then everyone has a reasonable chance of success. But this is like asking privateers to waste their time looking for French ships sailing up the Thames on a Wednesday which the Navy have missed. Sure, once or twice you're going to be the first to spot a particularly egregious Frenchie meandering up the river on a Wednesday, but it's really not a particularly interesting or promising mission, is it?

Re:mmm (2)

multiben (1916126) | more than 2 years ago | (#39777921)

No one's forcing anyone to do it. Some people love spending their time trying to punch holes in security. This way they can do it legally and get rewarded for it. Seems like a pretty sweet deal to me.

Re:mmm (1)

wmbetts (1306001) | more than 2 years ago | (#39778553)

I'm one of those people. Now that I can go poke around legally and possibly get paid if I'm lucky enough to find something I will. I'd do it even if there wasn't a cash prize.

Obligatory Dilbert (2)

ace37 (2302468) | more than 2 years ago | (#39777839)

Bug bounty: http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]

Granted it's external rather than internal pay for a bug, but at $20k a piece, it wouldn't take a sleazy employee like ratbert long to figure out...

Re:Obligatory Dilbert (3, Insightful)

icebraining (1313345) | more than 2 years ago | (#39778097)

Yes, I'm sure a Google employee will risk their $110k+benefits job and being unemployable for life in any major tech company to gain $20k.

Re:Obligatory Dilbert (1)

Inda (580031) | more than 2 years ago | (#39780253)

You underestimate human greed and the "can I get away with it?" factor.

$20k is a lot of pound notes.

Re:Obligatory Dilbert (1)

trev.norris (2010080) | more than 2 years ago | (#39779781)

More practically, they have good code tracking so they know exactly who committed each bug. Wonder if they have a three strikes rule?

20,000 (1)

thereitis (2355426) | more than 2 years ago | (#39778041)

Why not make it an even $23294 and keep the theme?

Did anyone else... (0)

Anonymous Coward | more than 2 years ago | (#39778071)

think that said "Bugs Bunny"?

Carry on Google.. (1)

Severus Snape (2376318) | more than 2 years ago | (#39778073)

Have some brownie points to go towards your 'do no evil' moto, it needs them before it falls down.

Re:Carry on Google.. (1)

icebraining (1313345) | more than 2 years ago | (#39778111)

That's not their motto.

Re:Carry on Google.. (1)

Severus Snape (2376318) | more than 2 years ago | (#39778199)

"Don't be evil" (being fastidious), was an motto, suggested by one of their earliest employees which ended up part of the company's philosophy.

Re:Carry on Google.. (2)

icebraining (1313345) | more than 2 years ago | (#39780033)

Exactly; it's "Don't be evil", not "Do no evil". And if you think about it, the difference is huge.

Re:Carry on Google.. (0)

Anonymous Coward | more than 2 years ago | (#39780261)

True, one has a grammar mistake, the other is google's moto.

Three reasons (3, Insightful)

gstrickler (920733) | more than 2 years ago | (#39778133)

1. Bugs are getting harder to find, especially ones that can be exploited
2. Criminals are paying good money for quality exploits.
3. It's cheaper than hiring more people to do it.

show me the way! (1)

fugas (619989) | more than 2 years ago | (#39780157)

I guess the question now is, for most of us, how do you become a good security researcher? Seriously, are there any specific tools, trainings, tutorials, non-blackhat methods available?

Re:show me the way! (0)

Anonymous Coward | more than 2 years ago | (#39780189)

Be a developer.
While developing, constantly think about ways this could be misused and code to avoid that.
Get hacked/cracked. Figure out what went wrong, patch the errors, learn from your mistake, see where similar problems could occur and patch those.
Rinse and repeat.

Eventually you'll have a strong understanding of where things can go wrong, you'll be able to target those areas in other's applications, and defend against them in your own.

Also a PR move (1)

erikwestlund (1003368) | more than 2 years ago | (#39780337)

Aside from being good business sense on the accounting side of things, this is also a PR move. The hip company pays the nerds who can help them out taking advantage of the CLOUD! I mean crowd. Did I say cloud?

Found a bug already (-1, Troll)

wbr1 (2538558) | more than 2 years ago | (#39780451)

Hey google, I found a bug. It is called the sign in button. Use it and all ones personal data is compromised nearly as bad as the facebook social virus. Now where is my check?

Biggest security hole in Chrome (0)

Anonymous Coward | more than 2 years ago | (#39785811)

Settings -> Personal Stuff -> Manage Saved Passwords -> Click on any password -> Click Show

In Soviet Russia (1)

Roachie (2180772) | more than 2 years ago | (#39791009)

Google bugs YOU!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?