Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Up Ante For Disclosure Rules, Increases Bug Bounty

Posted by kdawson on from the responsibility-cuts-both-ways dept.

An anonymous reader writes "In a recent post by seven members of their security team, Google lashed out against the current standards of responsible disclosure, and implicitly backed the recent actions of Tavis Ormandy (who is listed as one of the authors). The company said it believed 60 days should be an 'upper bound' for fixing critical vulnerabilities, and asked to to be held to the same standard by external researchers. In another, nearly simultaneous post to the Chromium blog, Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7, apparently in response to Mozilla's recent action."

3 of 134 comments (clear)

  1. Re:This is good competition by MLS100 · · Score: 0, Troll

    Or for the glass half empty types: Google and Mozilla aren't willing to pay more than $3134 to eliminate a remotely exploitable vulnerability that could be potentially disastrous for their users!

  2. Re:Elite by Your.Master · · Score: 0, Troll

    It was a potential conflict of interest, given that he is a paid employee of Google who works as a security engineer. If this was inconsistent with Google's policies, there is definitely a problem, the problem would have been Tavis' fault (not Google's), but it would be up to Google to repudiate the actions if it believed Ormandy was not in compliance.

    This article instead suggests that Google's policy is consistent with Tavis' actions, so it really doesn't matter.

    Which is fair, but I don't see this new policy as really consistent with Tavis' case. Presumably he disclosed because he was "responding to a [...] refusal to address the problem". We know Microsoft did respond to Tavis within the same day on the weekend, but he was unsatisfied with the response and gave full disclosure a few business days later rather than waiting out his deadline. I'd like that part clarified.

  3. Re:60 days is not 5 by abigsmurf · · Score: 1, Troll

    He did frame it correctly. He gave them 60 days to fix it. Not "60 days to fix it plus you must stroke my ego sufficiently and quickly enough".

    If you give someone a 60 day deadline, you stick to it. You don't throw a hissy fit and put far more computers at risk because they didn't behave exactly as you want.

    Yes the code was known and being exploited but he made the exploit far more widespread (just look at the explosion of malware that abused the bug that appeared days after he published it).

    Sorry, Travis is a scumbag lacking in morals who only cared about grabbing headlines.