Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mega Vulnerability Reward Program Starts Payouts: 7 Bugs Fixed In First Week

timothy posted about a year and a half ago | from the paid-in-bitcoins-of-course dept.

Cloud 41

An anonymous reader writes "If you're a hacker or a security researcher, this is a reminder that you don't have to take on Google's or Mozilla's software to get paid for finding a bug. In its first week, the Mega vulnerability reward program has already confirmed and fixed seven bugs, showing that Dotcom really does put his money where his mouth is. Although Mega hasn't shared how much money it paid out in the first week, how many bug submissions were made, or even who found which bugs, the company did briefly detail the discovered security holes. It also confirmed that the program is here to stay and urged those participating to find more severe bugs."

cancel ×

41 comments

Sorry! There are no comments related to the filter you selected.

Good Work Kim (5, Interesting)

sidevans (66118) | about a year and a half ago | (#42854301)

Lets hope it helps keeps those annoying federal police out of your servers.

Re:Good Work Kim (1)

Luckyo (1726890) | about a year and a half ago | (#42858061)

Unfortunately the same "pay for bug fix" culture.. (-1)

Anonymous Coward | about a year and a half ago | (#42854305)

..is also responsible for people selling exploits on the black market. Kim Dotcom might pay well, but I'm sure he knows as well as anyone else that crime is where the money is.

Re:Unfortunately the same "pay for bug fix" cultur (3, Funny)

OhANameWhatName (2688401) | about a year and a half ago | (#42854351)

Kim Dotcom might pay well, but I'm sure he knows as well as anyone else that crime is where the money is

Certainly right. There's probably even huge amounts of money to be made by suing USDOJ trolls for slander.

Re:Unfortunately the same "pay for bug fix" cultur (-1, Flamebait)

tehcyder (746570) | about a year and a half ago | (#42857869)

Kim Dotcom might pay well, but I'm sure he knows as well as anyone else that crime is where the money is

Certainly right. There's probably even huge amounts of money to be made by suing USDOJ trolls for slander.

Dotcom is a convicted fraudster. He made tons of money on Megaupload by exploiting the infringement of copyright. He is a criminal. Just because people here don't agree with copyright changes nothing about his activities.

Yeah, yeah, I'm a fucking paid government shill, obviously, and Dotcom is the fucking second comning of Christ.

Re:Unfortunately the same "pay for bug fix" cultur (0)

Anonymous Coward | about a year and a half ago | (#42870219)

Not necessarily a shill. But definitely a christian. Christians can't tell right from wrong, so you just assume legal == right.

Re:Unfortunately the same "pay for bug fix" cultur (0)

Anonymous Coward | about a year and a half ago | (#42854503)

The people who search for exploits to offer them for sale are not necessarily the same ones these campaigns are targeted at.

Re:Unfortunately the same "pay for bug fix" cultur (1)

Runaway1956 (1322357) | about a year and a half ago | (#42854897)

That's a bit dumb, really. You're implying that if no legitimate people offered rewards, then the illegitimate hackers would stop doing their thing? That's equivalent to saying that if the police didn't offer "Crime Stopper" rewards, then the crooks would stop committing crimes. It makes no sense at all.

Re:Unfortunately the same "pay for bug fix" cultur (-1)

Anonymous Coward | about a year and a half ago | (#42855169)

Rape is hilarious. All women deserve to be raped. Mere sex objects...

Re:Unfortunately the same "pay for bug fix" cultur (0)

Anonymous Coward | about a year and a half ago | (#42856775)

Fuck man! Can you stop spamming from religious texts for a while?

Re:Unfortunately the same "pay for bug fix" cultur (1)

Samantha Wright (1324923) | about a year and a half ago | (#42856149)

I think his point was more that it's sad that rewards have to figure into this at all, since some (not all) of the people claiming the rewards might be amoral and simply go for the highest bidder. A little like paying pickpockets not to rob people, y'know?

Re: Unfortunately the same "pay for bug fix" cultu (0)

Anonymous Coward | about a year and a half ago | (#42857049)

I'd argue that this is more like paying a pick pocket to teach you how to stop other pick pockets from targeting you.

Re: Unfortunately the same "pay for bug fix" cultu (1)

Samantha Wright (1324923) | about a year and a half ago | (#42860387)

If you involve teaching in the analogy you have to make it symmetrical, at which point it's no longer an analogy at all: you're paying people who teach pickpockets to teach you instead of them. Doesn't really have the original ring to it, y'know? The important part is "paying bad people not to do bad things for profit."

New way to get software made cheap (5, Funny)

Anonymous Coward | about a year and a half ago | (#42854329)

1. Pay unskilled programmers little money to quickly turn out software.
2. Release software you know is completely buggy and insecure.
3. Offer bounty for better programmers to find bugs at overall cheaper rate.

Re:New way to get software made cheap (5, Interesting)

ACluk90 (2618091) | about a year and a half ago | (#42854397)

At least the bugs are fixed.

And frankly, if this is the way yielding the best product for your money: Why not?

Re:New way to get software made cheap (3, Insightful)

Cryacin (657549) | about a year and a half ago | (#42854501)

And frankly, if this is the way yielding the best product for your money: Why not?

That's a very big if.

Re:New way to get software made cheap (3, Funny)

Anonymous Coward | about a year and a half ago | (#42854669)

Yeah, who's going to want to sit on their ass in their own home working with no contract, no paperwork, no boss, no bullshit, finding bugs and getting paid for working whenever they feel like it...

Re:New way to get software made cheap (1)

Cryacin (657549) | about a year and a half ago | (#42867395)

Not to mention making literally THOUSANDS OF DOLLARS!!! (Per year)

Re:New way to get software made cheap (2)

fatphil (181876) | about a year and a half ago | (#42856951)

But at least this way they only have to fix the bugs that white-box testing uncovers. If they had to fix every bug, that would be prohibitively expensive.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42860793)

And frankly, if sweatshops yield the best product for your money: Why not?

Re:New way to get software made cheap (5, Insightful)

eksith (2776419) | about a year and a half ago | (#42854507)

1. Is sadly how a large number of shops turn out work. A lot of software is about brand name and marketing over quality. If it's closed source, you'll have no idea just how bad it is. Not saying open source is better, but at least someone can decide objectively whether it's rubbish or not when they can see the inner workings.

2. Happens a lot, but not as often nowadays with very popular players. And a lot less when practically the whole world is looking at you. ME with Microsoft was probably the big poster child for this, but since then, they've been better (we'll skip Vista, since its biggest problem was making things that used to work, not work anymore)

3. Is also what Google does. And frankly, it's a very good system. Provided the majority of programmers are still driven by ethos and bragging rights, the money's just icing on the cake. Of course, if they still value money more, then that's a problem for the original software makers since governments can afford to shell out more dough.

The black market is very lucrative and there are very successful programmers in that world I.E. The Grugq. Now we can debate the ethics of the business, but in the end, they're just catering to demand. Killing supply doesn't work (case in point, the war on drugs), so that leaves the demand to be worked on by companies that care more about security and clients who push for it.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42856267)

3. Does it matter what the majority of programmers are driven by? You simply need enough programmers driven any of those three to fix the software. And we've got a lot of programmers in the world.

And yup, totally agree. It's a very good system. The bounty method completely skips over the delay of selecting contract candidates. The first Harry Tuttle with the fix gets paid. All big commercial products should look at using this.

It probably pays better than writing tech books, and (name withheld) I've done that and in my experience you've got a lot of talented people just trying to pull in a little (very little) cash & bragging rights via that business.

Re:New way to get software made cheap (1)

thoughtlover (83833) | about a year and a half ago | (#42854925)

I have points and so want to give them to you, but you're damn insightful and the funny will just drown that sense out. The thing is, if Dotcom was so forward with his 'desire' to be transparent, at least he'd say how much he paid out. I know Google does, and may not credit direct names, but did for a pseudonym [cnn.com] . $60K is a nice haul for one bug!

Re:New way to get software made cheap (5, Insightful)

Gorshkov (932507) | about a year and a half ago | (#42855707)

1. Pay unskilled programmers little money to quickly turn out software.

1. Pay the best programmers you can find and give them the time and resources they need to turn out a top quality product.

2. Release software you know is completely buggy and insecure.

2. Release software after it has been tested in every way you can think of, and fix even the smallest bugs you can find.

3. Offer bounty for better programmers to find bugs at overall cheaper rate.

This step remains the same - because it doesn't matter who you hire, how good they are, or how much time they have - any significant software system is so complex that only a total idiot would assume there are no bugs.

Re:New way to get software made cheap (0)

equex (747231) | about a year and a half ago | (#42856527)

lol you are just about to finish your degree, right ?

Re:New way to get software made cheap (0, Funny)

Anonymous Coward | about a year and a half ago | (#42856905)

lol, never got yours, right?

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42857239)

Somebody is sad that they didn't get one and is only trusted with boilerplate work.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42857687)

lol

It's not very wise to start a statement with "lol" if you want to be taken seriously.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42875039)

lol

It's not very wise to start a statement with "lol" if you want to be taken seriously.

It's not very wise to ever use "lol" if you don't want to maintain the appearance that you're an imbecile. FTFY.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42856645)

3. Offer bounty for better programmers to find bugs at overall cheaper rate.

This step remains the same - because it doesn't matter who you hire, how good they are, or how much time they have - any significant software system is so complex that only a total idiot would assume there are no bugs.

It is possible to design and implement a big project bug free. It is not possible to do it with a tight budget and a timeline that is too tight even for the current workflow. You have to take a modular approach and each module needs to be audited and tested. Modules need to be feature stable. Use the simplest module available for the needed task. Don't assume anything. This very time consuming and needs tight spec for the interfaces and each modules team needs to know why their module exists in the first place.

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42857253)

It is possible to design and implement a big project bug free.

Oh really? Pray tell, where are you hiding that Turing oracle from us?

Re:New way to get software made cheap (0)

Anonymous Coward | about a year and a half ago | (#42857665)

1. Pay the best programmers you can find and give them the time and resources they need to turn out a top quality product.

2. Release software after it has been tested in every way you can think of, and fix even the smallest bugs you can find.

Unless you work in a niche area of the market your competition will outrun you by the time you finish with #1+#2. The IP you invented at high cost I'll be glad to purchase for peanuts when you go bankrupt.

Re:New way to get software made cheap (3, Insightful)

garyebickford (222422) | about a year and a half ago | (#42858271)

Indeed. I used to run a SW QA workshop for a large-ish company. The math is as you say. Based on analysis of years of data from multiple high-quality large software development projects (many of them defense- and space- related) using the latest quality assurance methods, only about 2/3 to 85% of bugs were caught prior to release. White box testing can only find about 1/3 of existing bugs - there's some interesting math behind that - note the word 'can'.

Most interestingly, given said quality engineering methods, the majority of bugs are built into the original design - they are not coding errors. (I think that a significant portion of those 'bugs' are arguably based on differences of opinion about how things ought to work.) From my work on these workshops I came up with the saying that "writing a small software program is like writing a 400 page book with no typos, no spelling or grammar errors, no ambiguous phrases, and no plot holes." (A 400 page book will have about 20,000 lines of text.)

About that time, I heard a talk at a conference by the then-head of IBM's OS 360 maintenance team, when OS360 was the OS for IBM mainframes that 'ruled the world' at the time. IIRC OS360 contained three million lines of code and had a 3 month maintenance release cycle. The speaker said that each cycle on average fixed two to three thousand new bugs.

More recently (late 1990s, early 2000s), analysis of a variety of software - again developed using 'good' methods', found that there was an average of one bug in every 200 lines of released, shipped code. I think it was about that time that Microsoft said they averaged about one bug in every 75 lines. (NB: It is not known if these numbers used the same metrics, so it is not evidence of any difference in coding quality.)

So, bottom line - no matter how carefully the code is designed and written, it will certainly have bugs - especially as you count design changes as bugs.

Re:New way to get software made cheap (1)

garyebickford (222422) | about a year and a half ago | (#42858341)

I'll just add a second reply - there is one common exception these days, which is web programming. Because of the rapid application development cycle, the ubiquity of scripting languages (making changes easy and cheap) and the continuous design change paradigm, web programming tends commonly to be closer to the 'quick hack to make it go'.

For my own projects these days, which are not web programming but pulling data from outside data sources that tend to change a lot, it is not cost effective to spend a lot of time making the code more efficient or shiny. Instead the code is written to be adaptable to changing inputs, failing softly (i.e. not blowing up the database, crashing or looping forever) and letting people know that it has broken so it can be fixed. It is not uncommon for the fix to be undoing a fix done the previous week or month, because the environment changed back. In this case 'quality' has a somewhat different meaning, closer to 'garbage in, sweet-smelling roses out'.

Re:New way to get software made cheap (3, Informative)

tbird81 (946205) | about a year and a half ago | (#42856783)

1. Pay unskilled programmers little money to quickly turn out software.
2. Release software you know is completely buggy and insecure.
3. Offer bounty for better programmers to find bugs at overall cheaper rate.

Actually the majority of software development doesn't bother with #3.

Bounties for more than security bugs (1, Interesting)

Mandrel (765308) | about a year and a half ago | (#42854687)

It's disappointing that software makers seem to only ever offer bounties for security bugs, rather than for all types of bugs and for ideas to improve the software. Don't worry if the software is a POS to use — no-one can misuse it!

Bounties for ideas and general fixes are feasible if contributors must agree that the company takes ownership of any submitted ideas, and that no compensation should be expected. Payments are totally at the company's discretion. This should cover the legal worries that currently make such payments very rare.

At the same time a company would be smart to provide monetary rewards that acknowledge suggestions that have clearly benefited the company. It's good business, and good PR.

Re:Bounties for more than security bugs (1, Insightful)

fisted (2295862) | about a year and a half ago | (#42854775)

Frankly security related bugs /are/ the most important ones, because they provide attack vectors to the rest of the system. Missing functionality is just meh, but nothing to worry about.

Re:Bounties for more than security bugs (1)

LordLimecat (1103839) | about a year and a half ago | (#42855255)

Also, its easier to fix security bugs once reported than to fix "Your software is clunky and unpolished".

Re:Bounties for more than security bugs (0)

Anonymous Coward | about a year and a half ago | (#42854805)

Thats what competition is for.
But nowdays people seem so stupid they do this:
  If company Y has more useable product then you use company X product because it's shiny.

doesn't stop there (0, Redundant)

frovingslosh (582462) | about a year and a half ago | (#42854779)

What great news, And there are competitions sponsored by China, Iran and North Korea to find bugs like this too.

fagorQz (-1)

Anonymous Coward | about a year and a half ago | (#42855097)

Blue, rubbEr shout the loudest Mr. Raymond's she had no fear
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>