Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Pay $500 For Bugs Found In Chromium

Posted by ScuttleMonkey on from the rewards-for-being-1337 dept.

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

10 of 175 comments (clear)

  1. But it has AdThwart by tepples · · Score: 3, Insightful

    Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart. Even if the titles aren't the same across platforms, they still do roughly the same thing.

    1. Re:But it has AdThwart by maxwell+demon · · Score: 3, Insightful

      Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:But it has AdThwart by yuhong · · Score: 2, Insightful

      Yea, I know, I have a pending submission about the problems of "shareholder value" here: http://slashdot.org/submission/1159318/The-problems-of-the-shareholder-value-ideology

  2. Re:Here's an idea! by Anonymous Coward · · Score: 3, Insightful

    If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.

  3. Re:Why tell when you can exploit? by TheRaven64 · · Score: 3, Insightful

    Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...

    --
    I am TheRaven on Soylent News
  4. Re:Why tell when you can exploit? by tomhudson · · Score: 4, Insightful

    Why claim a $500 reward when you can exploit and steal more?

    In Soviet Russia, spammer rewards YOU!

    I'll take exploits for $500, Alex.
    Sorry, the Russian Business Network is paying $5000.

  5. Re:Why tell when you can exploit? by matzahboy · · Score: 3, Insightful

    Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.

  6. Re:Nice idea, but limited scope by fuzzyfuzzyfungus · · Score: 4, Insightful

    $500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

    If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.

  7. Re:Nice idea, but limited scope by causality · · Score: 2, Insightful

    I will add one thing... the time necessary is really academic. Moderation is a simple, easy-to-handle matter and the way to do that job is to actually know something about the post that you are modding, usually by reading it, perhaps by cross-referencing it. I immediately knew your intent, but if I didn't, then I could go through a very slightly longer process of referencing the article, which would remove all doubt. So again this is just carelessness on the part of people who probably shouldn't have mod points in the first place.

    This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  8. Responsibility by zogger · · Score: 2, Insightful

    It is a companies sole responsibility to make money for its shareholders.

    Ya, and that sucks, too, and it should be changed back to more of the original US model, where there were more duties and a lot more oversight into their conduct. Originally, it was a lot harder to get to be a corporation, charters were for a limited time, then a review before a renew, and you had to be publicly responsible, they couldn't be used to influence public policy, and a lot of other restrictions. Just "making profits" wasn't the sole criteria then to get granted a corporate charter.

    A little reference:

    http://www.reclaimdemocracy.org/corporate_accountability/history_corporations_us.html

    As it is today, it seems like they can do just about anything they want to do, and even if they run afoul of the last remaining checks and balances on their behavior, if they can meet the fine and pass the costs down to their next customers..that's it, they just keep on.

    And that's the problem, it's way to easy to have corporations now, and way too hard to get rid of the ones who engage in chronic serial antisocial or outright illegal behavior. They can come to life, but you can't kill them. And even if they screw up so bad they manage to go bankrupt, if they are big enough, they get emergency bailed out. I mean, WTF..you can't get rid of bad businesses or bad business creeps anymore? This is touted as some economic or social "good", because it "enhances shareholder value" or something? This is our loftiest goal?

    What you said is certainly true today, but it is the cause of a lot of problems...

    A lot of modern corporations look more like toxic invasive species superweeds to me than anything else.