Google To Pay $500 For Bugs Found In Chromium

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

No adblock plus

[sakdoctor]

$500 please

Nice idea, but limited scope

[girlintraining]

They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

Re:Nice idea, but limited scope

[tepples]

They have to decide it's a critical bug, and it must be a single bug.

From the article: "any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope

[girlintraining]

From the article: "any clever vulnerability at any severity might get a reward."

"We will typically focus on High and Critical impact bugs, but" ...

Re:Nice idea, but limited scope

[Your.Master]

You've got it backwards. She was providing context, not removing it. The original full quote was:

"We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope

[fuzzyfuzzyfungus]

$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.

Re:Nice idea, but limited scope

[Applekid]

Sounds low if it were, say, for IE or Firefox flaws. Chrome is still less than 5% of the browser market (from Jul - Dec 2009 according to StatOwl) and suffers (or, rather, benefits) from the Mac effect in resisting the actual exploitation of discoveries.

Re:Nice idea, but limited scope

[StikyPad]

Regardless of the motivation, I'm not so sure it's a good idea to essentially add value to the black market for security exploits while simultaneously providing an inventive for contributors to add security bugs. They're really just raising the floor value of any given exploit to $500. Now if they were to offer a reward in excess of the level required to remain profitable through the exploitation of security holes (and it's anyone's guess what that value might be) then that might have some effect, but of course it would also increase the incentive for insider shenanigans.

Re:Nice idea, but limited scope

[kangsterizer]

paying a company would cost them $15000 and they wouldn't be sure to get the bugs found.
researching for $500 sure isn't worth doing it, unless you just find one by luck. you might also attract teenagers who sometimes get access to private exploits to make a quick $500 legally.
finally, you get a publicity stunt saying you're so secure and all (but in fact, it's just that not enough people care about your product yet)

Re:Nice idea, but limited scope

[shadow_slicer]

Ah, but if you're the criminal you can get paid twice:
1) find vulnerability
2) sell vulnerability to fraudsters ($$)
3) report vulnerability to google for $$
4) google patches vulnerability so fraudsters can't use it anymore
5) goto 1
6) profit!

Re:Nice idea, but limited scope

[JelloJoe]

How many times do i need to say this. Chromium != Chrome

Re:Nice idea, but limited scope

[girlintraining]

Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.

I agree with everything you said, except 800ms is a bit short. I would say about 20 seconds, if you include the time to backtrack to the main page, click the link, wait for the website to load, and skim it for the relevant quote (which is the first question in the list). It could take up to a minute if they are slower readers -- we can't assume everyone reads as fast as we do.

Still, moderators should read the article before using their points if they're going to mod articles that reference the article's content. Now if it's just "First post!" or "ch34p v!4gr4" posts, then by all means... :\

Re:Nice idea, but limited scope

[sys.stdout.write]

5) goto 1
6) profit!

You're probably going to want to keep the profit within the scope of the loop...

Re:Nice idea, but limited scope

[causality]

Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.

I agree with everything you said, except 800ms is a bit short. I would say about 20 seconds, if you include the time to backtrack to the main page, click the link, wait for the website to load, and skim it for the relevant quote (which is the first question in the list). It could take up to a minute if they are slower readers -- we can't assume everyone reads as fast as we do.

Still, moderators should read the article before using their points if they're going to mod articles that reference the article's content. Now if it's just "First post!" or "ch34p v!4gr4" posts, then by all means... :\

It was immediately obvious to me that you were providing context. I have not read the article and it was not necessary for me to do so in order to know your intent. If anything, 800ms is generous but it accounts for people who are slow readers.

Re:Nice idea, but limited scope

[tepples]

Ideally, if bug A allows bug B to result in a compromise, bug A gets upgraded to high impact.

Re:Nice idea, but limited scope

[causality]

I will add one thing... the time necessary is really academic. Moderation is a simple, easy-to-handle matter and the way to do that job is to actually know something about the post that you are modding, usually by reading it, perhaps by cross-referencing it. I immediately knew your intent, but if I didn't, then I could go through a very slightly longer process of referencing the article, which would remove all doubt. So again this is just carelessness on the part of people who probably shouldn't have mod points in the first place.

This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.

Re:Nice idea, but limited scope

[jopsen]

5) goto 1 6) profit!

You're probably going to want to keep the profit within the scope of the loop...

Nope... The loop is correct crime never pays off... :)

Re:Nice idea, but limited scope

[thsths]

4b) fraudster comes round and beats you up

Re:Nice idea, but limited scope

[ascari]

Actually, step one is they have to agree it's really a bug. Could be somebody's warped idea of a feature, you know.

Re:Nice idea, but limited scope

[ascari]

Well, actually Chrome == Chromium, at least most commonly. See http://en.wikipedia.org/wiki/Chrome for the exciting details.

Re:Nice idea, but limited scope

[Chees0rz]

Oh whoa, that's what I get for skimming and flaming. Thanks for the clarification (and holy shit with respect no-less) :)

Putting the whole quote together... I still don't see it supporting the OP's point... hmm

Re:Nice idea, but limited scope

[Orestesx]

On the other hand, it gives honest people a reward for reporting bugs, when all they would have gotten before is a thank you (maybe). How is that a publicity stunt?

And GP says limited scope like it's a bad thing. I wish more things in my life were limited scope (software projects, federal copyright protection laws, etc.)

Re:Nice idea, but limited scope

[michaelhood]

$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases.

No 'would-be criminal' is going to come forward to claim this stuff, it's not worth the effort. It's likely targeted at users like me who have stumbled upon potential exploits in the past but couldn't justify investing a day or more writing a PoC, submitting it and hoping someone would read it.

Re:Nice idea, but limited scope

[girlintraining]

This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.

O_o The moderation system on slashdot has always been controversial. Kuro5hin tried a new system where everybody was a moderator. It was a more accurate rating system, but it's failure was in giving the users the ability to approve or reject content. Part of why slashdot is successful (and Kuro5hin failed) is because the authorship of stories is controlled by only a few people who have a lot of experience. The moderation system could be a simple thumbs up/down, and metamoderation could be flushed down the toilet, and the quality wouldn't change. At its core, the moderation system is a popularity contest -- you only get mod points by being let into the clubhouse by the other popular kids, and only comments that represent the popular opinion are highly rated. In general, pro-microsoft stuff is moderated down, whereas pro-linux would be moderated up. But a particularily well-written pro-microsoft post could still be modded up provided the author acknowledges the prevailing opinion when submitting it. For example, "I'd be the first to say Microsoft is a blight upon the land, but in this case..." Or, more directly -- people can state unpopular opinions if they couch it in rhetoric, where-as popular opinions are scrutinized less. It's human nature, and the moderation system can't fix that. But -- it could be redesigned to be simpler and more true to its roots.

Re:Nice idea, but limited scope

[lakeland]

Perhaps...

Think what having a framed check of $1337 from Google to you would do for your career, or on your CV "Awarded a prize by Google for finding security flaws", or perhaps "One of only 7 people worldwide awarded a prize by Google for finding bugs in their software". You get the drift...

The money only needs to be enough that people will not dismiss it as a joke prize - I doubt any recipient will actually cash the check.

cf Knuth's prizes for bugs in TeX.

Re:Nice idea, but limited scope

[SoulDrift]

$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it.

Yes, a criminal won't be tempted by such a low number. But an honest person will be. And there's still more of those around. If you can encourage them to look at your code and report bugs, for both fun *and* honest profit, then you have an edge.

Re:Nice idea, but limited scope

[poopdeville]

This is looking rather promising. The source tarball is 843MB. Talk about gigabloatware.

Re:Nice idea, but limited scope

[Yvanhoe]

The fact they are offering rewards for it and that no other competitor do can only be appreciated and approved. And to be frank, I doubt that monetizing a zero-day is as easy as you make it sound. You would have to quickly develop an exploit, sell it to the correct person, who may have more or less shady connections and an uncertain pay. On the other hand, Google offers $500, don't ask for a working exploit, is 100% legal and also awards you a lot in reputation money.

There are also some people who would never sell an exploit to criminals. Today they have no way to be rewarded if they signal a bug. It is good that they can be rewarded. IMO, if Microsoft had done this a few years ago, the world of computer security may have been totally different.

Re:Nice idea, but limited scope

[causality]

This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.

O_o The moderation system on slashdot has always been controversial. Kuro5hin tried a new system where everybody was a moderator. It was a more accurate rating system, but it's failure was in giving the users the ability to approve or reject content. Part of why slashdot is successful (and Kuro5hin failed) is because the authorship of stories is controlled by only a few people who have a lot of experience. The moderation system could be a simple thumbs up/down, and metamoderation could be flushed down the toilet, and the quality wouldn't change. At its core, the moderation system is a popularity contest -- you only get mod points by being let into the clubhouse by the other popular kids, and only comments that represent the popular opinion are highly rated. In general, pro-microsoft stuff is moderated down, whereas pro-linux would be moderated up. But a particularily well-written pro-microsoft post could still be modded up provided the author acknowledges the prevailing opinion when submitting it. For example, "I'd be the first to say Microsoft is a blight upon the land, but in this case..." Or, more directly -- people can state unpopular opinions if they couch it in rhetoric, where-as popular opinions are scrutinized less. It's human nature, and the moderation system can't fix that. But -- it could be redesigned to be simpler and more true to its roots.

I must disagree here. I often say things that are not so popular, but I do it in a way that attempts to cause people to think differently about an issue. I typically have no problems with the moderators whenever I do this. The only sort of issues I have are people who enjoy deliberately distorting and quoting out of context, as it wastes my time to point out to them that actually reading my post would have negated whatever issue they believe they are raising. Still, I don't feel that mods target me because what I say is often not what folks like to hear. I try to be well-reasoned and lay a foundation for the arguments I construct, so that easy-way-out is not so easy.

Dilbert

[fatherjoecode]

Time for Ratbert to do his dance on the keyboard.

Re:dilbert

[Brian+Gordon]

Found it for you.

Re:Dilbert

[fatherjoecode]

Found it: http://www.flubu.com/comics/dilbert-webbrowser.jpg

Re:dilbert

[moonbender]

Hey, I didn't know about /fast. That's pretty cool, thanks.

Re:dilbert

[DebianDog]

Thank you!!!! This is EXACTLY the first thing I thought of.

Re:Dilbert

[Hurricane78]

Link, or it didn’t happen! ;)

Re:dilbert

[serbanp]

What Google forgot to mention is that each reward will be subtracted from the paycheck of the developer who wrote the offending code.

But it has AdThwart

[tepples]

Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart. Even if the titles aren't the same across platforms, they still do roughly the same thing.

Re:But it has AdThwart

AdThwart only hides the ads; it doesn't block them. Third party ads/ad servers are a common source of security breaches. His point has validity.

I wouldn't hold my breath for the money, though.

Re:But it has AdThwart

[iammani]

they still do roughly the same thing.

No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

Re:But it has AdThwart

[maxwell+demon]

Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).

Re:But it has AdThwart

[hedwards]

True, but it's still more than a little bit irresponsible. Google isn't exactly the most responsible company out there, how long has it been that they've been running silent updates over an unencrypted connection without asking for permission? Feel free to correct me if they've changed that policy, but it's only been in the last couple weeks that gmail defaulted to using SSL.

Re:But it has AdThwart

[iammani]

Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.

Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.

So it not that google is doing us a favor. Its just that it does not have any other options.

Re:But it has AdThwart

[iammani]

er: s/not disallow/disallow

Looks like I need more coffee!

Re:But it has AdThwart

[Ash+Vince]

Google isn't exactly the most responsible company out there,

Company? Or do you mean organisation?

It is a companies sole responsibility to make money for its shareholders.

Re:But it has AdThwart

[yuhong]

This topic has been discussed before http://tech.slashdot.org/story/09/12/17/1436257/Google-Says-Ad-Blockers-Will-Save-Online-Ads And the funny thing is that part of why Larry and Sergey chose to use text ads for Google is that they found banner and pop-up ads annoying.

Re:But it has AdThwart

[sonicmerlin]

And who do you think is the majority shareholder in Google? Oh that's right, the founders.

Re:But it has AdThwart

[0100010001010011]

If you have a Mac, get GlimmerBlocker It works as a proxy server so it's not an addon. It works with every browser. I can even us GreaseMonkey scripts with all browsers (It will let you inject Javascript right before /body).

I use it with Chromium & WebKit. Firefox doesn't get launched anymore other than for a few things, mainly because it likes to eat up all my RAM. I've had Firefox, with no windows open, using more RAM than the active Photoshop session I was using.

Re:But it has AdThwart

[yuhong]

Yea, I know, I have a pending submission about the problems of "shareholder value" here: http://slashdot.org/submission/1159318/The-problems-of-the-shareholder-value-ideology

Here's an idea!

[rehtonAesoohC]

What they should really do is up the dollar amount by a small margin every time someone finds a bug and is rewarded - maybe on a logarithmic curve?

The idea being that once more and more bugs are discovered, the number of bugs left to discover will diminish, and people will have less incentive to find bugs, even though major flaws may still exist in some form. So the one person who finds the whopper of a bug five years from now could get $100,000...

Re:Here's an idea!

If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.

Re:Here's an idea!

[martin-boundary]

What is it with people and logarithms? You're posting on slashdot, you should know better!

The logarithm grows very *slowly*:

log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9

For all practial purposes, you can think of a logarithmic curve as constant.

What you're talking about is an *exponential* curve. Here's the exponential:

exp(5) = 148.4
exp(10) = 22026
exp(100) = 26881171418161354484126255515800135873611118
exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\
63850782441193474978076563026889930963817987520226935982981730544612\
89923262783660152825232320535169584566756192271567602788071422466826\
31400685516850865349794166031604536781793809290529972858013286994585\
64702865343759004565643555891562204223202605188261122886383583722487\
24725214506150418881937494100871264232248436315760560377439930623959\
705844189509050047074217568

Re:Here's an idea!

exp(1000) =
19700711140170469938888793522433231253169379853238457899528029913850\

63850782441193474978076563026889930963817987520226935982981730544612\

89923262783660152825232320535169584566756192271567602788071422466826\

31400685516850865349794166031604536781793809290529972858013286994585\

64702865343759004565643555891562204223202605188261122886383583722487\

24725214506150418881937494100871264232248436315760560377439930623959\

705844189509050047074217568

Given all of those division signs, isn't this a really small number?! :P

Re:Here's an idea!

[maxwell+demon]

I don't see a division sign. Division signs look like this: /
But yes, it's still a small number, compared with a googolplex.

Re:Here's an idea!

[hedwards]

That's the point, an exponential payout would encompass all of Google's future profits within the year. Whereas the logarithmic increase would be a tiny incremental increase each time an exploit was turned in.

Re:Here's an idea!

[martin-boundary]

A logarithmic increase for each extra bug would not be any incentive at all, and would not work the way the OP claimed it would:

So the one person who finds the whopper of a bug five years from now could get $100,000...

Re:Here's an idea!

[Arthur+Grumbine]

I don't see a division sign. Division signs look like this: /

I don't see a sense of humor. A sense of humor looks like this:-D

Re:Here's an idea!

[Draek]

Like TeX? though Knuth, being the badass that he is, did it with an exponential curve rather than a logarithmic one.

Re:Here's an idea!

[vadim_t]

Take your example, and multiply by 100 (or a larger number if you prefer, but it seems reasonable to me):

  log(5)*100 = $160
  log(10)*100 = $230
  log(100)*100 = $460
  log(1000)*100 = $690

By the 1000 bugs, Google will have paid about 590K, at 10K it'd be 8.2M. Right now the mozilla bugzilla has more than 500K bugs in it, though of course most of those wouldn't qualify.

Re:Here's an idea!

[martin-boundary]

You have to look at the *shape* of the logarithm. The shape doesn't change if you multiply by a constant factor, and it is the *shape* that matters because that tells you the point of diminishing returns. Every bug takes effort, but statistically, later bugs take a lot more effort to find (because nearly all the "easy" ones are found first real quick).

For example, nobody will aim to find the 10Kth bug, since they will get practically the same amount of money to find the 9999th bug:
100*log(10000) = 921.03
100*log(9999) = 921.02

The difference here is 1 cent, but the extra work could be hours and hours.

Now, how many hours are you willing to work for $500? Let's say you're willing to work for a whole weekend, then that's the time you have to find the 150th bug or so. That's a difficulty level that's pretty high for most programmers, only a few dedicated individuals are going to remain in the game at that point. Essentially, I expect that nobody will be interested in working on the 10Kth bug, ever.

If Google wanted more people to play, there is a way to match difficulty with incentive. It requires collecting statistics on how long typical bugs remain open (assuming the time is proportional to difficulty). Then you can work out the flattest curve shape that should keep people interested forever. But it won't be a logarithm.

Re:Here's an idea!

[malakai]

That's an incentive for people to not share the bugs they find until the bounty is high enough.

Re:Here's an idea!

[badkarmadayaccount]

How about a logarithm with a really small base? That ought to be steeper as a curve.

$25,750,000,000!!!

[Monkeedude1212]

So If I'm on Chromium right now...
Awesome Averaging 1 bug per picture (some with multiple, some without), at 500 dollars each...

I'll take my 25 Billion billion please. Keep the change.

Re:$25,750,000,000!!!

[Monkeedude1212]

I wrote Billion twice? Clearly the amount amount is staggering staggering.

If Microsoft did this for Windows...

[jgagnon]

They'd have a 100% market share and be out of business. :p

Re:If Microsoft did this for Windows...

[Icegryphon]

That is assuming they would fix those bugs,
instead of filing them under: don't care.

Feature creep keeps testers in business

[tepples]

If Google adds new compelling features to Chrome, these will more than likely have new defects. If not, the browser will stagnate compared to Opera and Firefox.

Re:Why tell when you can exploit?

[TheRaven64]

Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...

Re:Why tell when you can exploit?

[tomhudson]

Why claim a $500 reward when you can exploit and steal more?

In Soviet Russia, spammer rewards YOU!

I'll take exploits for $500, Alex.
Sorry, the Russian Business Network is paying $5000.

Re:Why tell when you can exploit?

[matzahboy]

Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.

What about when the bugs are "features"?

[Daetrin]

I just talked about this in the other Chrome article, but all the bugs i'd like to report they claim to be features.

Even though they say they know it causes problems they'd rather continue to have a browser with issues rather than implement proven solutions that other browsers have come up with because they have aesthetic issues with those solutions.

I really don't appreciate them making the product less useful to me because they don't like the solutions other people have come up with but can't think of anything better themselves. In my mind that counts as a bug, but that's not a definition they're going to accept.

Re:What about when the bugs are "features"?

[Daetrin]

Well as i stated, and as they confirmed in the linked blog post, they _know_ that the lack of the features they decided not to include causes problems for many people, including themselves. So apparently what they were trying to do is to make a browser that _doesn't_ work for millions of people in some key aspects.

Second of all, if you'd read the linked post you would have seen this quote: "In all of these areas we've resisted adding options to control behavior. Keeping our set of options minimal is a good forcing function for us as user interface designers to come up with the right approach, since we never rely on the crutch of making the user decide what we were unable to."

So they are intentionally not including options to modify behavior, because clearly once they have decided on the "right" way to do things everyone else who thinks differently is "wrong." So at heart they are designing the browser for their own sensibilities. If the majority of users happen to agree with their decisions that will be great for them. If it turns out to be a minority... not so much. In either case choosing to prohibit the simple expedient of giving the user a choice, would allow more people to enjoy the browser the way _they_ want to. Even if that is the "wrong" way.

I don't think they should make it _only_ the way i want. I'm not that hubristic. The fact that they are that hubristic, they think they can come up with the "one true way" to do things and not give anyone who disagrees with them any options, is rather frustrating.

google just does everything different

[Lord+Ender]

Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).

Google? Google pays them cold, hard cash.

I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).

Re:google just does everything different

[maxwell+demon]

It's like they're reading Slashdot and doing everything we say!

Let's try: Google, please give me a billion dollars.
OK, I said it on Slashdot. Let's see it it works.

Re:google just does everything different

[bill_mcgonigle]

I swear, it seems Google bucks every bad trend in the software/IT industry.

Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

Re:google just does everything different

[Lord+Ender]

Sorry, but Sergey Brin browses at +5. The mods will need to show you some love if you want any chance at that...

Re:google just does everything different

[Lord+Ender]

but Chromium isn't open source

Bzzzzt!

"Chromium is the open-source project behind Google Chrome."

http://code.google.com/chromium/

Re:google just does everything different

[hedwards]

I think you have to include your full name, SSN, bank account number and address. How else are they supposed to get the money to you?

Re:google just does everything different

[Lord+Ender]

Define harmful

Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.

Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.

As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.

Re:google just does everything different

[maxwell+demon]

They are Google. They are supposed to find that information. :-)
(BTW, what would they need my SSN for?)

Re:google just does everything different

[ThrowAwaySociety]

I swear, it seems Google bucks every bad trend in the software/IT industry.

Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)

Re:google just does everything different

[bill_mcgonigle]

Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)

If it turns out that they're using this as simply a distributed contract labor mechanism, that will be great. My suspicion is that it wind up in slide shows and marketing materials, but I'll be happy to be proven wrong on that.

Re:google just does everything different

[bill_mcgonigle]

Bzzzzt!

Is that you Pat Sajak?

"Chromium is the open-source project behind Google Chrome."
http://code.google.com/chromium/ [google.com]

Ah... thanks, I get it now. If I'd known that I would have reported to them that Chrome won't launch on linux x86_64! :) Ah, hell, the Fedora build isn't working either (but at least there's a -debuginfo).

Re:google just does everything different

[ArsonSmith]

They're google, they already have all that.

Re:google just does everything different

[danielsouzat]

Oh sure, Google isnt harmful, at while. A lot of ower in few hands is harmful, in my opinion.

Re:google just does everything different

[mahadiga]

I think Google should employ all those who find clever bugs in Chromium

Re:google just does everything different

[yuhong]

Proof?

Direct deposit plz

[deglr6328]

here you go. I can haz monies nao plz? kthxbye.

Re:Why tell when you can exploit?

[BZ]

The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.

$500573

[El_Muerte_TDS]

And $500573 for a serious security bug?

Re:$500573

[EkriirkE]

SOOSTE? or did you mean 600613

Re:$500573

[2obvious4u]

55378008

Re:$1337 - killer reward.

[Dogtanian]

if you read it properly of course.

"Sleet"? Well, I guess the soggy snow we got in the week before Christmas was lethally slippy once the thaw/refreeze turned it into sheet ice...

Anway, given that Google is normally good at flattering geeks, the 1337 reference is (a) way too obvious and (b) way too five years ago (when was the last time you heard anyone use 1337-5p34k in a non-ironic sense?)

They could at least have made the reward some power of two (though they might have been accused of ripping off Donald Knuth, since IIRC he did that first) or something related to e or pi. Dropped the ball there...

Perhaps they'll donate $318008 to the person who finds the Playboy centrefold Easter egg? ;-)

Re:A mental image is worth 10^3 words.

[martin-boundary]

There's a nice/nontechnical introduction to the exponential in this streaming video talk

Find a bug, win a Bug?

[sfjohnson]

Reminds me of the "Find a bug, win a Bug" promotion from Hunter & Ready Systems in the 1980s for their real-time operating system kernel.
Never met anyone who won a Volkswagen, though...
Google: Want to pony (or beetle) up?

Re:Why tell when you can exploit?

[Internalist]

What?!? Because you have morals. The incentives are of course there for honest people, not thieves and scoundrels. That is, honest people who care about securing/protecting their own systems & privacy, and/or that of others (sometimes people like to help other people).

Presumably the hope is that incentivizing things this way will make the morally-upright people have a go at finding the bugs...ideally *before* the nefarious crowd swoops in...

Re:Why tell when you can exploit?

[tomhudson]

So where is this market with Russian business men and how easily accessible is it?

In Soviet Russia, businessman access YOU!

Seriously? Just search the chat rooms, or follow the links from any of the spam software you get, and you'll find a buyer. Look for sites that search engines say "This site has malware" etc., and you'll find a buyer.

What exactly is illegal about it?

[SmallFurryCreature]

People keep saying this, but it ain't illegal at all. Show me the law.

Re:What exactly is illegal about it?

[wagnerrp]

Exploiting a flaw in computer code to gain access to a computer system without permission is illegal. You probably misread the OP and thought they were merely talking about finding and selling exploits.

Re:What exactly is illegal about it?

[DragonWriter]

People keep saying this, but it ain't illegal at all. Show me the law.

Most browser exploits that actually result in the exploiter profiting would fall afoul of various laws regarding fraud in general, many (whether or not they involve money) might also fall under a variety of laws involving unauthorized use or access to computers or information systems. There's no one law that prohibits "exploiting security vulnerabilities in web browsers", per se, but there are lots of laws that can be broken by specific instances of doing that.

Re:What exactly is illegal about it?

[dissy]

Why claim a $500 reward when you can exploit and steal more?

Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.

People keep saying this, but it ain't illegal at all. Show me the law.

Exploiting computers and stealing aren't illegal you say?

Links to a number of laws: http://www.cybercrime.gov/cclaws.html

More sources of reading pleasure:

http://www.cybercrime.gov/cc.html
http://www.ustreas.gov/usss/financial_crimes.shtml#Computer
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://www.ojp.usdoj.gov/nij/topics/technology/electronic-crime/welcome.htm

And in case the .gov websites aren't legit enough for you, there is always wikipedia ;}
http://en.wikipedia.org/wiki/Computer_crime

Oh, and as for stealing not being illegal, you are wrong there too.

http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS

Go to that link, scroll down to "PEN" for penal laws and click, then go down to section 155 on Larceny.
(Their site sucks and uses javascript for navigation, so I can't directly link. Bastards :} )

You can look up your own state laws similar (Under penal law, for the crime larceny)

Just to head off the inevitable "But I don't live in the US so everything you said doesn't matter", the answer is "no, it does, you are wrong."
Google is in the US, so is bound by US laws, which is the topic of conversation in this thread.
(Granted, California state laws for theft and not New York, but that was the link I had handy, they are all basically the same except for some minor details, and it was painful enough looking up anything on the NY site as it is :/ )

Nothing like old-school incentives...

[geekmux]

...you know, the kind of incentives that pre-date crap like stock options in lieu of a pay raise...

Ah yes, let's all shiver from the crisp air whipping from a stack of cold hard cash. I like it.

Not so new

[orient]

"Today, we are introducing an experimental new incentive for external researchers to participate."

D. J. Bernstein did the same thing in 1997, offering a reward for finding bugs in qmail: http://cr.yp.to/qmail/guarantee.html

Re:Not so new

[MichaelSmith]

Its a bit different because DJB truly believed there were no bugs. That was just advertising.

Re:Not so new

[16384]

See also http://en.wikipedia.org/wiki/Knuth_reward_check

Re:$1337 - killer reward.

[unity100]

SO what ?

what if it was too obvious and it was 5 years ago. its still 1337. its still leet.

this isnt a women's shoe or fashion piece.

Re:$1337 - killer reward.

[Dogtanian]

SO what ? what if it was too obvious

Because Google tend to do things that genuinely appeal and pander to geeks' intellects and identity (and demonstrate that they understand them).

Using the word "1337" like that is the kind of stereotypical thing someone *trying* to give the appearance of geek-friendliness and cool- who is themselves quite out of touch- would do. It's cheesy and tacky and...

and it was 5 years ago

Yeah, well you never see anyone using it now. And like it or not, geeks *do* follow fads.

If you want a rationalisation of that, a few years back, only message-board geeks knew what "1337" meant; anyone using it demonstrated that they probably were a geek, or at least understood those people. Then 1337-5p34k got more popular, then it started appearing in magazine articles explaining what those strange symbols your children typing were. At this point, anyone "knew" what 1337 meant, and could fake geek cred by using the expression. Oddly, it was also at this point (circa 2006 or so) that genuine 13375p34k dropped off the face of the earth, almost certainly because any obfuscating purpose and in-group identification had been killed off. Like any fashion.

And like it or not, geeks do follow fashions (for the sake of fashion), just not necessarily mainstream-style ones.

Re:$1337 - killer reward.

[element-o.p.]

Tell you what...if 1337 is too "five years ago" for you, feel free to donate the reward to me if you win it ;)

Google catches up to Netscape?

[vocatan]

Netscape used to offer a "bug Bounty" for issues reported -- xref article "BUGS BOUNTY By Philip Elmer-DeWitt Monday, Oct. 23, 1995 " http://www.time.com/time/magazine/article/0,9171,983604,00.html "[...]Netscape last week began offering cash awards to anybody who can find a security hole in the beta, or test, version of its latest browser software. Under the so-called Bugs Bounty program, the first person to identify a "significant" security flaw wins $1,000. Lesser bugs earn smaller prizes ranging from $40 sweatshirts to $12 coffee mugs. The idea, explains a company spokesperson, is to get hackers to hack when it will do the Netscape some good--before the product is officially released.[...]" So - given inflation, does this mean that the value of a bug has gone down over time - or was Netscape just paying way above market value? :D

Re:Why tell when you can exploit?

[Tolkien]

Not all of us are as immoral as you are I suppose. Was this statement too obvious for you?

Re:$1337 - killer reward.

[ascari]

I agree. They should at least adjust for 5 years worth of inflation!

Not open source? Where'd that come from?

[DragonWriter]

...but Chromium isn't open source...

Incorrect.

Re:$1337 - killer reward.

[stefthedearheart]

Considering the economy in the last couple of years, $1337 would be what? About $887?

dontgetshocked

[dontgetshocked]

I think this is cool, nothing quite like some good old cash to help motivate a person.Also it shows a real interest in there product.

Re:Why tell when you can exploit?

[Renraku]

So that's $5500 for submitting the bug for both. Nothing ethically wrong with that, because once someone has discovered/submitted it, it's really fair game.

Responsibility

[zogger]

It is a companies sole responsibility to make money for its shareholders.

Ya, and that sucks, too, and it should be changed back to more of the original US model, where there were more duties and a lot more oversight into their conduct. Originally, it was a lot harder to get to be a corporation, charters were for a limited time, then a review before a renew, and you had to be publicly responsible, they couldn't be used to influence public policy, and a lot of other restrictions. Just "making profits" wasn't the sole criteria then to get granted a corporate charter.

A little reference:

http://www.reclaimdemocracy.org/corporate_accountability/history_corporations_us.html

As it is today, it seems like they can do just about anything they want to do, and even if they run afoul of the last remaining checks and balances on their behavior, if they can meet the fine and pass the costs down to their next customers..that's it, they just keep on.

And that's the problem, it's way to easy to have corporations now, and way too hard to get rid of the ones who engage in chronic serial antisocial or outright illegal behavior. They can come to life, but you can't kill them. And even if they screw up so bad they manage to go bankrupt, if they are big enough, they get emergency bailed out. I mean, WTF..you can't get rid of bad businesses or bad business creeps anymore? This is touted as some economic or social "good", because it "enhances shareholder value" or something? This is our loftiest goal?

What you said is certainly true today, but it is the cause of a lot of problems...

A lot of modern corporations look more like toxic invasive species superweeds to me than anything else.

Re:Responsibility

[Ash+Vince]

What you said is certainly true today, but it is the cause of a lot of problems...

Hey, no argument here. But since I am a socialist you guys would probably think I am a communist or something.

Re:Responsibility

[yuhong]

Yea, I know, but I think it is too late and probably overkill to go back to that now.

Leet

[danielsouzat]

R$ 1337 = Leet

Re:Leet

[TeknoHog]

Actually, 1337 is not particularly elite as it is a composite number. For true primal eliteness, use 31337 instead.

(My UID is twice a prime, so nyah nyah nyah!)

Re:Leet

[apoc.famine]

Is there some UID that's not some multiple of a prime...?

names and labels

[zogger]

Ha, I am a strict Constitutionalist, a practical centrist, with the emphasis being the soverign individual first, then some powers to the states, then even less to the central government. the original idea.

  I *wish* it was attempted, because I think it could actually work..

  When it comes to corporations I just don't like crooks thieves and liars, nor vampire corporations that can get away with anything and can't be killed, just because of "making money" as their one and only priority. There needs to be a "three strikes and you are out" for corporations same as it is for individuals. It should be a lot easier to get their charters revoked.

I think *voluntary* collectivism is an interesting idea to run companies fairly and ethically, and still make a buck, like the movements in Argentina today. I'm not real big on large scale centralized planning (left or right wing), but as a voluntary thing, sure. I like the idea of eliminating the typical "workers versus management versus shareholders" internal war which screws up corporations today, and makes them work inefficiently and keeps everyone mad at the other guy. I think that's a lame stupid model. I think the owners should be the workers should be the managers, and share in the profits equitably. This would help eliminate all those bogus decisions based on "short term profits" mentality.

Re:$1337 - killer reward.

[jhol13]

not necessarily mainstream-style ones.

Oh yes they do. They wear nike, drink coke, eat in macdonalds, ... exactly like everybody else.

They might think they are smarter and not driven by advertisements. But vast majority won't drink tap water, wear noname clothes and eat in no-brand restaurant though it would most likely be much better in almost every sense - except "cool" factor.

A perverse Incentive

[abhishekupadhya]

1. Tie up with some of the coders behind chromium. 2. Ask them to insert clever, high-impact bugs. 3. report the exploit. 4. Collect $1337

Re:A perverse Incentive

[SnowZero]

5. Have developers look at the annotated source in version control to find out who wrote it.
6. Become widely known as the "guy who inserts security bugs on purpose" and get fired from your programming day job. Nobody else will hire you since you are a liability.
7. Avoid traveling to countries where what you did was illegal (If the bug was ever exploited I know I sure wouldn't travel to Singapore).

bad for google & good for website owners?

[UnFaNa]

I am surprised. Downloading but not showing means, they have the traffic and the expenses but not the benefits, right? That should make the least sense for google and the most for small sites that get money from google, if I didn't misunderstand the whole of it.

Re:Why tell when you can exploit?

[tomhudson]

So that's $5500 for submitting the bug for both. Nothing ethically wrong with that, because once someone has discovered/submitted it, it's really fair game.

I think you'd find that in Soviet Russia, that's bad for your health ... you'd end up being "fair game."

Re:Why tell when you can exploit?

[General+Wesc]

Most people have moral qualms about exploiting bugs to steal from people. They also have non-moral qualms about going to jail.

HOSTS beat that, read inside... apk

"Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it." - by iammani (1392285) on Friday January 29, @04:44PM (#30955594)

NO NEED FOR THAT: There's already a tool that operates @ a "lower level" of the IP Stack for filtering sites AND FOR SPEEDING UP ACCESS TO THEY AS WELL - that's your local HOSTS file!

1.) HOSTS files eat no CPU cycles like browser addons do no less!

2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).

3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).

4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR.

5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).

6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file ) & edited too.

7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers.

8.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE

9.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.

10.) ADBLOCK DOES NOT ALLOW A USER DIRECT EASILY EDITABLE CONTROL OVER WHAT IT BLOCKS & HOSTS do, via texteditors like notepad.exe (afaik, @ least - feel free to correct me IF I am in error here (thanks)).

APK

P.S.=> Per my subject-line above? Chrome doesn't NEED addons to do the job, as a HOSTS file already can blockout anything you like, AND SPEED YOU UP to your fav. sites too... "too, Too, TOO EASY" & all from 1 single more efficient + less "bug prone" file! However, laying in BOTH addons for browsers AND a HOSTS file is a good idea for the concept of "layered security"... apk

Re:HOSTS beat that, read inside... apk

[tepples]

Do HOSTS files allow separate configurations for each of a computer's users?