Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Patches 10 Chrome Bugs, Pays Out $10K

Posted by timothy on from the splat-splat-splat dept.

CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."

9 of 95 comments (clear)

  1. Money talks. by pspahn · · Score: 2, Interesting

    Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

    --
    Someone flopped a steamer in the gene pool.
    1. Re:Money talks. by Anonymous Coward · · Score: 1, Interesting

      "I'm sure I will hear all sorts of complaints about how it is neither fair nor effective."

      Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

    2. Re:Money talks. by Anonymous Coward · · Score: 2, Interesting

      Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.

    3. Re:Money talks. by Anonymous Coward · · Score: 1, Interesting

      Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

      Getting paid by a company that makes money from your help is not only good, but it is also fair. For them time translates into money, why wouldn't it work the same for the guys helping them ?

    4. Re:Money talks. by Anonymous Coward · · Score: 3, Interesting

      If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

      If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

      "Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people performing in this regard are irrelevant -- hiring the best bricklayer in town to setup your internet connection is not meritocracy at work. It's actually a form of waste.

      While I don't condone obscurity as a rule, it certainly does have practical benefits. Why not reap the benefits of obscurity where it is preserved, and openness where it is exposed? Practical moderation succeeds where ideological extremism fails. Paying people to dig up exploits before they're exploited is the same fallacy as using DRM to prevent "lost sales". Not only is the fix inconclusive, but by having it out there you know you've actually caused a nonzero number of machines to become compromised, and by offering a cash reward for these activities you're only creating more such incidents. Just as people refuse to buy DRM and pirate instead, leading to a circular argument for more DRM, there is no breakpoint at which the number of exploits will decrease; when such a thing happens it will merely lead to convincing the institutions that they need to offer more money (which was indeed another aspect mentioned in the story), which in turns raises more interest and turns out more exploits, and so on.

      In the end, a few people get a little bit of money, and a lot of people get hacked. Does that really sound like a meritous system to you?

    5. Re:Money talks. by Anonymous Coward · · Score: 3, Interesting

      I don't agree 100% with what the guy was saying, but this is what I think he was getting at.

      Chromium is an open source browser. Take current release. Take previous release. Diff. Derive any exploits. Construct drive-by attack for the many who haven't yet/never will update.

      On balance, though, I think the bug bounties are the way to go.

  2. Re:learn your colloquialism by Anonymous Coward · · Score: 1, Interesting

    Why is it some people are so resolute in their ignorance, they get indignant? At least in the USA stupidity is considered simply a freedom, not a right.

  3. Re:learn your colloquialism by Suki+I · · Score: 1, Interesting

    Some of us enjoy a little extra flavour in our language than others.

    --
    Home of The Suki Series
  4. Re:learn your colloquialism by twidarkling · · Score: 3, Interesting

    Bollocksing up a common phrase by randomly switching in words is not "flavouring the language." It's "clouding the issue." Use the right phrase, with the right words, or don't use the phrase. You're not avant garde, you're not clever. You're uneducated. If you're ESL, that's one thing, but then you don't claim you're enjoying flavour in your language. Pretty sure you're just a tool.

    --
    Canada: The US's more awesome sibling.