×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

samzenpus posted about 2 years ago | from the professional-swatter dept.

Google 24

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

24 comments

So it's good for Linux too (3, Insightful)

buchner.johannes (1139593) | about 2 years ago | (#39800863)

if people test security on Android and report it to Google, and someone will watch the Android codebase for bugs, security fixes will come to Linux for free. Since recently the Android and Linux re-merged again, this doesn't seem too far-fetched.

Re:So it's good for Linux too (1)

r1348 (2567295) | about 2 years ago | (#39801373)

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Re:So it's good for Linux too (1)

GuB-42 (2483988) | about 2 years ago | (#39801967)

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Right but if someone manages to break into android because of a bug in the kernel, it will benefit Linux even if it is not Google's code. Same thing for all other open-source components.

No bonus for that? (1)

dutchwhizzman (817898) | about 2 years ago | (#39803435)

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android. This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

Re:No bonus for that? (1)

jkflying (2190798) | about 2 years ago | (#39803805)

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android.

Why do you say that? Surely they would be happy to have a security hole in Android plugged, while gaining cred with the Linux community at the same time?

This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

That is exactly why they are offering this program in the first place.

Everyone else is doing it wrong. (2, Interesting)

Anonymous Coward | about 2 years ago | (#39800887)

I love these articles. It's an obviously progressive and effective idea for bug fixes, and every company who's not doing it is clearly a crufty old dinosaur.

Re:Everyone else is doing it wrong. (2, Insightful)

Anonymous Coward | about 2 years ago | (#39801151)

Microsoft is clearly ahead of the curve; they've been paying people to create bugs for years.

Interesting. The article seems to prefer Mozilla' (3, Informative)

Derek Pomery (2028) | about 2 years ago | (#39800975)

So apparently the size of the bounty isn't everything.

'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

Re:Interesting. The article seems to prefer Mozill (3, Informative)

Anonymous Coward | about 2 years ago | (#39803117)

Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

Re:Interesting. The article seems to prefer Mozill (1)

Derek Pomery (2028) | about 2 years ago | (#39806719)

Huh. Didn't know that.
What about Kettle since he is directly quoted?

game theory (5, Interesting)

buchner.johannes (1139593) | about 2 years ago | (#39801111)

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

Re:game theory (4, Insightful)

PCM2 (4486) | about 2 years ago | (#39801161)

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

Prisoner's Dilemma has no "good guy" (5, Insightful)

Zero__Kelvin (151819) | about 2 years ago | (#39801187)

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

Re:Prisoner's Dilemma has no "good guy" (0)

Anonymous Coward | about 2 years ago | (#39801307)

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

You can average over them, and say everyone is 1/10000th a "good guy" (or, everyone has a chance of p of being a good guy), that way I made the game symmetric. Then it is the same as the prisoners dilemma.

Re:Prisoner's Dilemma has no "good guy" (0)

Anonymous Coward | about 2 years ago | (#39809487)

"In theory, theory and practice work out the same, in practice this isn't always so."

Re:game theory (0)

Anonymous Coward | about 2 years ago | (#39801581)

Are you autistic?

Rest of the world. (3, Interesting)

PuZZleDucK (2478702) | about 2 years ago | (#39802005)

I was hoping TFA might mention if any company offers bounties to non-US countries. I couldn't find any last time I checked (admittedly a year or so ago)... does anyone know of any now?

Re:Rest of the world. (4, Informative)

jesser (77961) | about 2 years ago | (#39802619)

Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

* Mozilla has awarded bounties to researchers in several European countries.

* Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

Which bounty programs are restricted to the US?

Re:Rest of the world. (2)

Migala77 (1179151) | about 2 years ago | (#39805763)

* Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

But researchers in those countries needn't worry; the government over there has their own reward program for discovering security bugs.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...