Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Multiplies Low-Tier Bug Bounties By Factor of Five

Soulskill posted about a year ago | from the all-about-the-william-mckinleys dept.

Bug 29

Trailrunner7 writes "Google's bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what's going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000. This is the second major reward increase in the last couple of months. In June the company jacked up the amount of money it pays for cross-site scripting vulnerabilities in Google web properties to $7,500, and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser."

cancel ×

29 comments

Sorry! There are no comments related to the filter you selected.

Still cheaper than employees (1)

schneidafunk (795759) | about a year ago | (#44557251)

I wonder what the black market prices are for those vulnerabilities.

Re:Still cheaper than employees (2)

mrops (927562) | about a year ago | (#44557995)

Let me call NSA and find out.

Re:Still cheaper than employees (0)

Anonymous Coward | about a year ago | (#44558033)

Any "bounty" or "competition" is doomed to the same failure mode: people capable of doing the work understand the mathematics of the problem: if you're not the best in the world, then you don't get paid.

If bounties and competitions want to draw the best talent, they have to either offer guaranteed "working wage" compensation, or offer "lottery" level compensation to make up for the odds of wasting your time and ending up in 2nd, 3rd, ... Nth place.

more incentive? (0)

Anonymous Coward | about a year ago | (#44557281)

Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.

Re:more incentive? (3, Insightful)

webnut77 (1326189) | about a year ago | (#44557311)

Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.

It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.

Re:more incentive? (0)

Anonymous Coward | about a year ago | (#44557799)

It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.

What you just described is not (a) risk.

Re:more incentive? (1)

Anonymous Coward | about a year ago | (#44558567)

That's exactly what it is. You *risk* the current reward by betting on the fact that nobody else will disclose the bug before the price goes up.

Re:more incentive? (0)

Anonymous Coward | about a year ago | (#44560633)

The term "risk" implies one would lose something if one didn't react (report bug/"cash in first") or reacted and failed (doesn't apply in this case). You risk nothing when action or inaction would result no change in your existing condition (financial or otherwise). The keyword here is loss; when there is no potential of loss (to the individual seeking out and reporting security vulnerabilities) then there is no risk for that individual. Google, on the other hand, is who's at risk (of losing money if someone reports a vulnerability and it turns out to be legitimate).

1. You have US$0. You submit a security vulnerability to Google. They reject it. You still have $0. You've lost nothing,
2. You have $0. You submit a security vulnerability to Google. They accept it. You now have $5000 more than you had before. You still lost nothing.
3. You have $0. You do nothing. You still have $0. You've lost nothing.

TL;DR -- There is no risk, just lack of potential gain. Only stock market assholes seem to equate risk with lack of gain.

Re:more incentive? (0)

Anonymous Coward | about a year ago | (#44561245)

Lack of potential gain is loss. They call it opportunity cost. It's a real risk. Another way to put it: you've lost the exclusive knowledge of a bug.

You have to be insane not to realize this.

When you say only "stock market assholes" understand risk you reveal a weird mentality where something must be untrue because it's studied by people you detest.

Lets say you have one hundred million lottery tickets for the Powerball, all with different numbers. I don't know how you got those tickets and it doesn't matter. Bear in mind that you have well over a 50% chance of a jackpot with so many tickets (jackpot odds are about 1 in 175 million), and are almost certain to get lots of lesser winning tickets.

1. You have US$0. You check all the tickets. All of them lost. You've lost nothing.
2. You have US$0. You check all the tickets. Some are big winners. You now have $X US more than you had before. You've still lost nothing.
3. You have US$0. You do nothing. You still have $0. You've lost nothing.

This despite the fact that you almost certainly would have landed in option 2, with a whole pile more money. You've risked your potential gain in #2, which was almost certain to come to fruition, by taking the third option.

Still not satisfied? Well, then say there were all 175 million possible tickets. Now option 1 doesn't even exist. Does that change anything?

If no, then god help you because you're giving up a certainty of a lot of money for a certainty of none. If yes, is taking away just enough tickets that it's technically possible for them to all be losers sufficient to make it a non-risk to not check the tickets?

Re: more incentive? (0)

Anonymous Coward | about a year ago | (#44562507)

Just to cut through the psudo intelectual bullshit...

If you waited to report a but then someone else reported it you would lose the chance to claim the reward. So cut the crap.

Re: more incentive? (0)

Anonymous Coward | about a year ago | (#44562523)

If you discover a zero day bug, you have already won... The potential to trade for cash... If you wait it out, you will lose that potential..

Are you really that dumb or do you just like to argue?

Re:more incentive? (0)

Anonymous Coward | about a year ago | (#44557877)

Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.

It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.

That's probably the biggest incentive to cash in right away. Plus there's the part where we have no idea when the next increase is going to come.

Can we contribute? (1)

Qzukk (229616) | about a year ago | (#44557297)

I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

Re:Can we contribute? (0)

Anonymous Coward | about a year ago | (#44557603)

Maybe your wi-fi keeps connecting to random spots?

Re:Can we contribute? (1)

CanHasDIY (1672858) | about a year ago | (#44557649)

I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

If it happens on the same machine, no matter what network you're connected to, it could be your NIC.

Re:Can we contribute? (1)

CanHasDIY (1672858) | about a year ago | (#44557673)

I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

Addendum: It could also be a rogue access point causing a seemingly random disassociation. Check your logs.

Re:Can we contribute? (1)

Qzukk (229616) | about a year ago | (#44560611)

For the record, I'm hardwired in here.

Re:Can we contribute? (1)

CanHasDIY (1672858) | about a year ago | (#44565319)

For the record, I'm hardwired in here.

Hmm... could be a port bouncing... have you done a packet capture and reviewed the logs?

Another question - do you have this problem with other browsers and/or services, or is it exclusive to Chrome?

simple competition (1)

Anonymous Coward | about a year ago | (#44557303)

Because you can sell those bugs to bad guys for even more ...

messing with Microsoft (2, Interesting)

Anonymous Coward | about a year ago | (#44557339)

(posting anon because of my employMent Situation)

In many ways this is about control of the vuln market space rather than the value of the vulns. Microsoft is very slow to catch up, and the recent bug bounty required a herculean political effort internally and took months for approvals. Even so, the bounty amounts were focus-grouped to miniscule levels , meaning that Google pays more for Microsoft vulns than Microsoft does. Far more. I don't know whether or not Google dribbles them out slowly or not, after their own product patches or not, or other competitive move or not. But it ain't good, and Google's d!ck-waggling move shows how agile they are ,more than anything else.

Re: messing with Microsoft (0)

Anonymous Coward | about a year ago | (#44557419)

Why would Google pay for Microsoft vulnerabilities? Am I being a goober?

Re: messing with Microsoft (1)

Anonymous Coward | about a year ago | (#44557703)

http://www.chromium.org/Home/chromium-security/hall-of-fame [chromium.org]

See the special-case rewards:

The following special-case rewards were issued for bugs in components external to the Chromium project. We sometimes issue rewards for bugs in external components where information of the bug enabled us to proactively protect our users.

Re: messing with Microsoft (0)

Anonymous Coward | about a year ago | (#44557817)

I went through each bug and didn't see one against Microsoft. There were some font bugs that Windows couldn't handle and would crash. Is that what you are talking about? So Google Chrome (and Firefox and Opera) all validate the font before so the browsers don't crash. How is that messing with Microsoft? Or am I missing something?

Re:messing with Microsoft (0)

Anonymous Coward | about a year ago | (#44560537)

Are you in TwC?

Interesting (3, Insightful)

g0bshiTe (596213) | about a year ago | (#44558109)

"giving researchers more incentive"

Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

Re:Interesting (0)

Anonymous Coward | about a year ago | (#44566107)

More likely it represents a stable security model that has had most of the low-hanging fruit grabbed. We're getting into real security-research-as-a-career levels of effort to find a good exploit these days.

Re:Interesting (1)

BadPirate (1572721) | about a year ago | (#44576461)

Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

With around 40% (or more) of the internet using Google Chrome, and around 2 billion individual internet users, we can round down and say that google chrome has around 700 million users.

I'm sure that at best the bug program might encourage 1000 security researchers (who weren't already using chrome) to use chrome...

So Google's "Con" would be to give away thousands of dollars in hopes of increasing their install base by 0.00001%

Or... they are simply "giving researchers more incentive"

komla (-1, Offtopic)

GladysWKent (3018651) | about a year ago | (#44559475)

My friends mother has been making 78$ per hour.This is shocking and unbelievable,but true.Start here> WWW.BAY92.COM

Based on a study? (1)

Skuto (171945) | about a year ago | (#44565949)

This might be due to the result of study showing that the insane bounties Google promises for top end bugs (especially for Chrome) draw many people in to look for Chrome security bugs, but that actually the expected payout for looking for Chrome bugs is exactly the same as it for for (for example) Firefox, because the latter pays more for the easier to find bugs.

Microsoft already changed their bug bounty program significantly days after the study was announced.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>