Slashdot Mirror
Google To Pay $500 For Bugs Found In Chromium
Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."
$500 please
They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.
#fuckbeta #iamslashdot #dicemustdie
Time for Ratbert to do his dance on the keyboard.
Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart. Even if the titles aren't the same across platforms, they still do roughly the same thing.
I wrote Billion twice? Clearly the amount amount is staggering staggering.
If Google adds new compelling features to Chrome, these will more than likely have new defects. If not, the browser will stagnate compared to Opera and Firefox.
If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.
Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...
I am TheRaven on Soylent News
The logarithm grows very *slowly*:
log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9
For all practial purposes, you can think of a logarithmic curve as constant.
What you're talking about is an *exponential* curve. Here's the exponential:
exp(5) = 148.4
exp(10) = 22026
exp(100) = 26881171418161354484126255515800135873611118
exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\
63850782441193474978076563026889930963817987520226935982981730544612\
89923262783660152825232320535169584566756192271567602788071422466826\
31400685516850865349794166031604536781793809290529972858013286994585\
64702865343759004565643555891562204223202605188261122886383583722487\
24725214506150418881937494100871264232248436315760560377439930623959\
705844189509050047074217568
In Soviet Russia, spammer rewards YOU!
I'll take exploits for $500, Alex.
Sorry, the Russian Business Network is paying $5000.
Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.
I just talked about this in the other Chrome article, but all the bugs i'd like to report they claim to be features.
Even though they say they know it causes problems they'd rather continue to have a browser with issues rather than implement proven solutions that other browsers have come up with because they have aesthetic issues with those solutions.
I really don't appreciate them making the product less useful to me because they don't like the solutions other people have come up with but can't think of anything better themselves. In my mind that counts as a bug, but that's not a definition they're going to accept.
This Space Intentionally Left Blank
Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).
Google? Google pays them cold, hard cash.
I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.
SO what ? what if it was too obvious
Because Google tend to do things that genuinely appeal and pander to geeks' intellects and identity (and demonstrate that they understand them).
Using the word "1337" like that is the kind of stereotypical thing someone *trying* to give the appearance of geek-friendliness and cool- who is themselves quite out of touch- would do. It's cheesy and tacky and...
and it was 5 years ago
Yeah, well you never see anyone using it now. And like it or not, geeks *do* follow fads.
If you want a rationalisation of that, a few years back, only message-board geeks knew what "1337" meant; anyone using it demonstrated that they probably were a geek, or at least understood those people. Then 1337-5p34k got more popular, then it started appearing in magazine articles explaining what those strange symbols your children typing were. At this point, anyone "knew" what 1337 meant, and could fake geek cred by using the expression. Oddly, it was also at this point (circa 2006 or so) that genuine 13375p34k dropped off the face of the earth, almost certainly because any obfuscating purpose and in-group identification had been killed off. Like any fashion.
And like it or not, geeks do follow fashions (for the sake of fashion), just not necessarily mainstream-style ones.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Tell you what...if 1337 is too "five years ago" for you, feel free to donate the reward to me if you win it ;)
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Netscape used to offer a "bug Bounty" for issues reported -- xref article "BUGS BOUNTY By Philip Elmer-DeWitt Monday, Oct. 23, 1995 " http://www.time.com/time/magazine/article/0,9171,983604,00.html "[...]Netscape last week began offering cash awards to anybody who can find a security hole in the beta, or test, version of its latest browser software. Under the so-called Bugs Bounty program, the first person to identify a "significant" security flaw wins $1,000. Lesser bugs earn smaller prizes ranging from $40 sweatshirts to $12 coffee mugs. The idea, explains a company spokesperson, is to get hackers to hack when it will do the Netscape some good--before the product is officially released.[...]" So - given inflation, does this mean that the value of a bug has gone down over time - or was Netscape just paying way above market value? :D
I don't see a division sign. Division signs look like this: /
I don't see a sense of humor. A sense of humor looks like this:-D
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
Like TeX? though Knuth, being the badass that he is, did it with an exponential curve rather than a logarithmic one.
No problem is insoluble in all conceivable circumstances.
Considering the economy in the last couple of years, $1337 would be what? About $887?
Why claim a $500 reward when you can exploit and steal more?
Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.
People keep saying this, but it ain't illegal at all. Show me the law.
Exploiting computers and stealing aren't illegal you say?
Links to a number of laws: http://www.cybercrime.gov/cclaws.html
More sources of reading pleasure:
http://www.cybercrime.gov/cc.html
http://www.ustreas.gov/usss/financial_crimes.shtml#Computer
http://www.fbi.gov/cyberinvest/cyberhome.htm
http://www.ojp.usdoj.gov/nij/topics/technology/electronic-crime/welcome.htm
And in case the .gov websites aren't legit enough for you, there is always wikipedia ;}
http://en.wikipedia.org/wiki/Computer_crime
Oh, and as for stealing not being illegal, you are wrong there too.
http://public.leginfo.state.ny.us/menugetf.cgi?COMMONQUERY=LAWS
Go to that link, scroll down to "PEN" for penal laws and click, then go down to section 155 on Larceny. :} )
(Their site sucks and uses javascript for navigation, so I can't directly link. Bastards
You can look up your own state laws similar (Under penal law, for the crime larceny)
Just to head off the inevitable "But I don't live in the US so everything you said doesn't matter", the answer is "no, it does, you are wrong." :/ )
Google is in the US, so is bound by US laws, which is the topic of conversation in this thread.
(Granted, California state laws for theft and not New York, but that was the link I had handy, they are all basically the same except for some minor details, and it was painful enough looking up anything on the NY site as it is
It is a companies sole responsibility to make money for its shareholders.
Ya, and that sucks, too, and it should be changed back to more of the original US model, where there were more duties and a lot more oversight into their conduct. Originally, it was a lot harder to get to be a corporation, charters were for a limited time, then a review before a renew, and you had to be publicly responsible, they couldn't be used to influence public policy, and a lot of other restrictions. Just "making profits" wasn't the sole criteria then to get granted a corporate charter.
A little reference:
http://www.reclaimdemocracy.org/corporate_accountability/history_corporations_us.html
As it is today, it seems like they can do just about anything they want to do, and even if they run afoul of the last remaining checks and balances on their behavior, if they can meet the fine and pass the costs down to their next customers..that's it, they just keep on.
And that's the problem, it's way to easy to have corporations now, and way too hard to get rid of the ones who engage in chronic serial antisocial or outright illegal behavior. They can come to life, but you can't kill them. And even if they screw up so bad they manage to go bankrupt, if they are big enough, they get emergency bailed out. I mean, WTF..you can't get rid of bad businesses or bad business creeps anymore? This is touted as some economic or social "good", because it "enhances shareholder value" or something? This is our loftiest goal?
What you said is certainly true today, but it is the cause of a lot of problems...
A lot of modern corporations look more like toxic invasive species superweeds to me than anything else.
Ha, I am a strict Constitutionalist, a practical centrist, with the emphasis being the soverign individual first, then some powers to the states, then even less to the central government. the original idea.
I *wish* it was attempted, because I think it could actually work..
When it comes to corporations I just don't like crooks thieves and liars, nor vampire corporations that can get away with anything and can't be killed, just because of "making money" as their one and only priority. There needs to be a "three strikes and you are out" for corporations same as it is for individuals. It should be a lot easier to get their charters revoked.
I think *voluntary* collectivism is an interesting idea to run companies fairly and ethically, and still make a buck, like the movements in Argentina today. I'm not real big on large scale centralized planning (left or right wing), but as a voluntary thing, sure. I like the idea of eliminating the typical "workers versus management versus shareholders" internal war which screws up corporations today, and makes them work inefficiently and keeps everyone mad at the other guy. I think that's a lame stupid model. I think the owners should be the workers should be the managers, and share in the profits equitably. This would help eliminate all those bogus decisions based on "short term profits" mentality.