Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Up Ante For Disclosure Rules, Increases Bug Bounty

Posted by kdawson on from the responsibility-cuts-both-ways dept.

An anonymous reader writes "In a recent post by seven members of their security team, Google lashed out against the current standards of responsible disclosure, and implicitly backed the recent actions of Tavis Ormandy (who is listed as one of the authors). The company said it believed 60 days should be an 'upper bound' for fixing critical vulnerabilities, and asked to to be held to the same standard by external researchers. In another, nearly simultaneous post to the Chromium blog, Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7, apparently in response to Mozilla's recent action."

5 of 134 comments (clear)

  1. Elite by ceraphis · · Score: 5, Funny

    Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7

    That's quite the elite sum of money to use as a reward.

  2. I just found a bug... by bi$hop · · Score: 5, Funny

    Dear Google,

    I just found a bug in Gmail. We should talk.

    Sincerely,
    Chinese Hacker

    1. Re:I just found a bug... by cosm · · Score: 5, Insightful

      Dear Chinese Hacker,

      I just found a bug in your government. We should square up.

      Sincerely,
      Google

      --
      'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  3. Re:60 days = upper bound, not average by fuzzyfuzzyfungus · · Score: 5, Insightful

    I think that your comment can be read on two levels:

    One. You are correct. Google is almost certainly taking advantage of the fact that browsers are substantially less complex(and people are comparatively tolerant of little rendering glitches, unless they scotch the whole page or "people" happen to be graphic designers...). It is a cynical; but very logical, tactic to talk most about the virtues you can cultivate most easily(though, conceivably, 60 days might actually be a much tighter limit for some of their server stuff, I don't know how hairy that can get).

    Two. If your product is too large, and too tightly coupled, to turn around a fix in two months you had better have a very compelling reason. Arguably, Microsoft's relatively tight coupling of an enormous number of pieces has been very good business; but not very good design. In the short term, Google's implicit dig is rather cynical. In the longer term, though, they are really scoring a point in a battle of architectural philosophies. Microsoft probably actually handles size, complexity, and tight inter-relation better than most(they'd be dead if they didn't); but the problems that it causes them are basically their fault. They made that mess, they deliberately coupled stuff for economic reasons that could have been decoupled for engineering ones....

  4. Re:60 days is not 5 by Anonymous Coward · · Score: 5, Informative

    Read the actual reporting on what happened. Tavis gave MS 60-days, but they refused to commit to any timeline. So, he went ahead and disclosed immediately, along with a fix for affected systems.

    It's also important to understand that Tavis has been reporting critical vulnerabilities to MS for years--and in some cases waited over a year for them to push a fix. This time he saw something trivial that should be fixed immediately and he put their feet to the fire. Oddly enough, they did push out their own fix in under 60 days after the vulnerability was made public. So you don't have to agree with his methods, but you should at least frame the situation correctly.