Slashdot Mirror
Google To Pay $500 For Bugs Found In Chromium
Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."
They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.
#fuckbeta #iamslashdot #dicemustdie
If Google adds new compelling features to Chrome, these will more than likely have new defects. If not, the browser will stagnate compared to Opera and Firefox.
AdThwart only hides the ads; it doesn't block them. Third party ads/ad servers are a common source of security breaches. His point has validity.
I wouldn't hold my breath for the money, though.
they still do roughly the same thing.
No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).
The logarithm grows very *slowly*:
log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9
For all practial purposes, you can think of a logarithmic curve as constant.
What you're talking about is an *exponential* curve. Here's the exponential:
exp(5) = 148.4
exp(10) = 22026
exp(100) = 26881171418161354484126255515800135873611118
exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\
63850782441193474978076563026889930963817987520226935982981730544612\
89923262783660152825232320535169584566756192271567602788071422466826\
31400685516850865349794166031604536781793809290529972858013286994585\
64702865343759004565643555891562204223202605188261122886383583722487\
24725214506150418881937494100871264232248436315760560377439930623959\
705844189509050047074217568
The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.
Bzzzzt!
"Chromium is the open-source project behind Google Chrome."
http://code.google.com/chromium/
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.
Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.
So it not that google is doing us a favor. Its just that it does not have any other options.
Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.
Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.
As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
SO what ? what if it was too obvious
Because Google tend to do things that genuinely appeal and pander to geeks' intellects and identity (and demonstrate that they understand them).
Using the word "1337" like that is the kind of stereotypical thing someone *trying* to give the appearance of geek-friendliness and cool- who is themselves quite out of touch- would do. It's cheesy and tacky and...
and it was 5 years ago
Yeah, well you never see anyone using it now. And like it or not, geeks *do* follow fads.
If you want a rationalisation of that, a few years back, only message-board geeks knew what "1337" meant; anyone using it demonstrated that they probably were a geek, or at least understood those people. Then 1337-5p34k got more popular, then it started appearing in magazine articles explaining what those strange symbols your children typing were. At this point, anyone "knew" what 1337 meant, and could fake geek cred by using the expression. Oddly, it was also at this point (circa 2006 or so) that genuine 13375p34k dropped off the face of the earth, almost certainly because any obfuscating purpose and in-group identification had been killed off. Like any fashion.
And like it or not, geeks do follow fashions (for the sake of fashion), just not necessarily mainstream-style ones.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Netscape used to offer a "bug Bounty" for issues reported -- xref article "BUGS BOUNTY By Philip Elmer-DeWitt Monday, Oct. 23, 1995 " http://www.time.com/time/magazine/article/0,9171,983604,00.html "[...]Netscape last week began offering cash awards to anybody who can find a security hole in the beta, or test, version of its latest browser software. Under the so-called Bugs Bounty program, the first person to identify a "significant" security flaw wins $1,000. Lesser bugs earn smaller prizes ranging from $40 sweatshirts to $12 coffee mugs. The idea, explains a company spokesperson, is to get hackers to hack when it will do the Netscape some good--before the product is officially released.[...]" So - given inflation, does this mean that the value of a bug has gone down over time - or was Netscape just paying way above market value? :D
Like TeX? though Knuth, being the badass that he is, did it with an exponential curve rather than a logarithmic one.
No problem is insoluble in all conceivable circumstances.
Why claim a $500 reward when you can exploit and steal more?
Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.
People keep saying this, but it ain't illegal at all. Show me the law.
Exploiting computers and stealing aren't illegal you say?
Links to a number of laws: http://www.cybercrime.gov/cclaws.html
More sources of reading pleasure:
http://www.cybercrime.gov/cc.html
http://www.ustreas.gov/usss/financial_crimes.shtml#Computer
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://www.ojp.usdoj.gov/nij/topics/technology/electronic-crime/welcome.htm
And in case the .gov websites aren't legit enough for you, there is always wikipedia ;}
http://en.wikipedia.org/wiki/Computer_crime
Oh, and as for stealing not being illegal, you are wrong there too.
http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS
Go to that link, scroll down to "PEN" for penal laws and click, then go down to section 155 on Larceny. :} )
(Their site sucks and uses javascript for navigation, so I can't directly link. Bastards
You can look up your own state laws similar (Under penal law, for the crime larceny)
Just to head off the inevitable "But I don't live in the US so everything you said doesn't matter", the answer is "no, it does, you are wrong." :/ )
Google is in the US, so is bound by US laws, which is the topic of conversation in this thread.
(Granted, California state laws for theft and not New York, but that was the link I had handy, they are all basically the same except for some minor details, and it was painful enough looking up anything on the NY site as it is