Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Pay $500 For Bugs Found In Chromium

Posted by ScuttleMonkey on from the rewards-for-being-1337 dept.

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

22 of 175 comments (clear)

  1. No adblock plus by sakdoctor · · Score: 3, Funny

    $500 please

  2. Nice idea, but limited scope by girlintraining · · Score: 5, Informative

    They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Nice idea, but limited scope by tepples · · Score: 4, Informative

      They have to decide it's a critical bug, and it must be a single bug.

      From the article: "any clever vulnerability at any severity might get a reward."

    2. Re:Nice idea, but limited scope by girlintraining · · Score: 5, Informative

      From the article: "any clever vulnerability at any severity might get a reward."

      "We will typically focus on High and Critical impact bugs, but" ...

      --
      #fuckbeta #iamslashdot #dicemustdie
    3. Re:Nice idea, but limited scope by Your.Master · · Score: 3, Informative

      You've got it backwards. She was providing context, not removing it. The original full quote was:

      "We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."

    4. Re:Nice idea, but limited scope by fuzzyfuzzyfungus · · Score: 4, Insightful

      $500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

      If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.

    5. Re:Nice idea, but limited scope by sys.stdout.write · · Score: 5, Funny

      5) goto 1
      6) profit!

      You're probably going to want to keep the profit within the scope of the loop...

  3. Dilbert by fatherjoecode · · Score: 4, Funny

    Time for Ratbert to do his dance on the keyboard.

    1. Re:dilbert by Brian+Gordon · · Score: 5, Funny

      Found it for you.

  4. But it has AdThwart by tepples · · Score: 3, Insightful

    Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart. Even if the titles aren't the same across platforms, they still do roughly the same thing.

    1. Re:But it has AdThwart by iammani · · Score: 4, Informative

      they still do roughly the same thing.

      No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

    2. Re:But it has AdThwart by maxwell+demon · · Score: 3, Insightful

      Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    3. Re:But it has AdThwart by iammani · · Score: 3, Informative

      Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.

      Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.

      So it not that google is doing us a favor. Its just that it does not have any other options.

  5. Re:$25,750,000,000!!! by Monkeedude1212 · · Score: 3, Funny

    I wrote Billion twice? Clearly the amount amount is staggering staggering.

  6. Re:Here's an idea! by Anonymous Coward · · Score: 3, Insightful

    If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.

  7. Re:Why tell when you can exploit? by TheRaven64 · · Score: 3, Insightful

    Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...

    --
    I am TheRaven on Soylent News
  8. Re:Why tell when you can exploit? by tomhudson · · Score: 4, Insightful

    Why claim a $500 reward when you can exploit and steal more?

    In Soviet Russia, spammer rewards YOU!

    I'll take exploits for $500, Alex.
    Sorry, the Russian Business Network is paying $5000.

  9. Re:Why tell when you can exploit? by matzahboy · · Score: 3, Insightful

    Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.

  10. google just does everything different by Lord+Ender · · Score: 4, Interesting

    Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).

    Google? Google pays them cold, hard cash.

    I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:google just does everything different by Lord+Ender · · Score: 3, Informative

      but Chromium isn't open source

      Bzzzzt!

      "Chromium is the open-source project behind Google Chrome."

      http://code.google.com/chromium/

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    2. Re:google just does everything different by Lord+Ender · · Score: 4, Informative

      Define harmful

      Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.

      Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.

      As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    3. Re:google just does everything different by ThrowAwaySociety · · Score: 3, Interesting

      I swear, it seems Google bucks every bad trend in the software/IT industry.

      Here's Bruce Schneier pointing out the problems with such strategies in 1998. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

      Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)