Google Patches 10 Chrome Bugs, Pays Out $10K

CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."

Money talks.

[pspahn]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Re:Money talks.

[Suki+I]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

Re:Money talks.

"I'm sure I will hear all sorts of complaints about how it is neither fair nor effective."

Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

Re:Money talks.

The price of running this idea through the PR-department must have been much larger than the sum of the prices. But I still like the idea of handing out cash.

Re:Money talks.

[jamesh]

Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

My guess would be because some people like to complain.

Re:Money talks.

[tylerni7]

One could fairly easily sell these sorts of bugs for much more than a "modest sum." I believe the common counter argument is that those finding these bugs should be given something closer to the "market price" (for bugs in something as wide-spread as IE, this can be on the order of hundreds of thousands of dollars).

I don't really agree with this argument, just thought I'd fill you in on why some people would be complaining. The fact that these bugs were found and patched means that it can't be a horrible arrangement though.

Re:Money talks.

Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.

Re:Money talks.

Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

Getting paid by a company that makes money from your help is not only good, but it is also fair. For them time translates into money, why wouldn't it work the same for the guys helping them ?

Re:Money talks.

If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

"Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people performing in this regard are irrelevant -- hiring the best bricklayer in town to setup your internet connection is not meritocracy at work. It's actually a form of waste.

While I don't condone obscurity as a rule, it certainly does have practical benefits. Why not reap the benefits of obscurity where it is preserved, and openness where it is exposed? Practical moderation succeeds where ideological extremism fails. Paying people to dig up exploits before they're exploited is the same fallacy as using DRM to prevent "lost sales". Not only is the fix inconclusive, but by having it out there you know you've actually caused a nonzero number of machines to become compromised, and by offering a cash reward for these activities you're only creating more such incidents. Just as people refuse to buy DRM and pirate instead, leading to a circular argument for more DRM, there is no breakpoint at which the number of exploits will decrease; when such a thing happens it will merely lead to convincing the institutions that they need to offer more money (which was indeed another aspect mentioned in the story), which in turns raises more interest and turns out more exploits, and so on.

In the end, a few people get a little bit of money, and a lot of people get hacked. Does that really sound like a meritous system to you?

Re:Money talks.

modest sum of money

Don't get me wrong here.
These people (likely) work their butts off with specialized training and sharp minds and (very likely) deserve every penny they get, but please don't label a sum of money > $1000 as "modest"; It's not like a Mechanical Turk payout.

Re:Money talks.

[similar_name]

Nothing specifically to back it up, but I think sometimes that people really just want recognition. Google giving them a reward for finding a fix can be that recognition or hacking Google and compromising thousands of machines can be that recognition. Either way they will find the exploit. Better that Google recognizes them than a criminal enterprise.

Re:Money talks.

I know not to ask if you read TFA, but did you even bother to read the summary?

"Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded."

Re:Money talks.

[hcs_$reboot]

I agree and endorse that kind of behavior.
However, for the same price, Google gets also a lot of free advertisement that contributes to improve their image. But I'm not complaining ...

Re:Money talks.

I don't agree 100% with what the guy was saying, but this is what I think he was getting at.

Chromium is an open source browser. Take current release. Take previous release. Diff. Derive any exploits. Construct drive-by attack for the many who haven't yet/never will update.

On balance, though, I think the bug bounties are the way to go.

Re:Money talks.

[pspahn]

Nature of the beast?

Instead of objective discussion, /. seems to (these days) often revolve around people throwing anger around. I simply wouldn't be surprised when people find something... anything to bitch and moan about. Heck, my post was tagged as flamebait initially. I suppose that's not too far off, but it's simply discouraging when people are so quick to make knee-jerk reactions to anything just for the sake of doing so.

Devil's advocate =! flamebait.

Re:Money talks.

[commodore64_love]

You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

Re:Money talks.

[DrEldarion]

One of the nice things about Chrome is that it silently updates itself, so unless you go out of your way to disable that (and it's difficult...), everyone will always be up to date.

Re:Money talks.

[Abstrackt]

You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

I assume we're still talking about collecting bounties from Google when I make the following statement. If the work you do for the possibility of money feels like wasting your life maybe you should do something else, like work for the guarantee of money or simply treat it as a hobby.

Re:Money talks.

[commodore64_love]

Granted - but my point was that I should not be criticized for accepting the money.

It's MY life not somebody else's, and if I want to be compensated I have that right, and they can keep their dumb-assed hippy opinion ("work for free!") to themselves. I don't like Bible thumpers preaching at me, and I certain don't need hippies preaching at me either. If I waste days of my life finding a bug, I expect payment.

Re:Money talks.

[DaVince21]

Because they didn't get the money.

Static analysis?

[Singri]

Are they using a static analysis tool to find bugs?

Re:Static analysis?

[Singri]

By *they* I mean Google.

True Geeks at Heart

[UNHOLYwoo]

", which the company set at $3,133.70 last month" Great, Easter eggs beyond the code.

Re:True Geeks at Heart

[wen1454]

31337 = eleet. It took me like 10 minutes to figure that out. I guess that proves I am not a geek.

Re:True Geeks at Heart

[Suki+I]

Glad you decoded it for me! We are on the same ship.

Re:True Geeks at Heart

[Abstrackt]

Glad you decoded it for me! We are on the same ship.

The best way I ever heard someone describe this idiom was that "a boat is what you get on when the ship's sinking". When you're still on the ship everything is just fine, which means the idiom simply doesn't work. When you're in the boat though, that means there's a problem. ;)

a couple grand?

[circletimessquare]

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Re:a couple grand?

[Suki+I]

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Some of us like to play nice. Not saying I am in the category of the people who got those rewards, of course.

Re:a couple grand?

[Alphanos]

It has to be a careful balance to set bounties like this at the right amount. The information and fixes are valuable, yes. However, If they set the payout too high, it could actually encourage their employees to write buggy software in the hopes of cashing in (i.e. through a friend or family member).

Re:a couple grand?

[larry+bagina]

Google doesn't play nice.

Re:a couple grand?

[circletimessquare]

I have no doubt you're one of the good guys. But not everyone is

Re:a couple grand?

[Darkness404]

Yeah, but Google is reputable, you -know- that their $3K is going to be genuine. Good luck suing J. Random Blackhat when the money he pays you turns out to be stolen/fraudulent or never arrives.

Re:a couple grand?

[JackCroww]

But there is an additional potential payoff. If someone finds enough bugs, I'm sure there's a chance that they could be offered a job by Google, which would most likely payoff both monetarily and socially/job security more than selling the bug details to "certain other parties".

Re:a couple grand?

[Suki+I]

Love your sig ;)

Re:a couple grand?

[Darkness404]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Re:a couple grand?

[Suki+I]

I have no doubt you're one of the good guys. But not everyone is

Not much I can do about others doing bad things outside of my office. I have full control over what I do.

Re:a couple grand?

[hoggoth]

Someone probably did and does sell this kind of information to other parties.
They don't get an article about them though.

These people did research they enjoy, made a little money, built their personal brands, raised their 'wuffie', helped Google, helped Chrome users, and got an article written about them.

Re:a couple grand?

[hoggoth]

Sorry: 'Whuffie'.

Re:a couple grand?

[stms]

I don't think that would be to much of a problem at Google. I mean I doubt many Google employees (certainly not coders) make less than 6 figures and probably with an amazing retirement plan as well. I wouldn't risk a job at Google for anything less than 7 figures.

Re:a couple grand?

[WillDraven]

I think that's exactly the GP's point. $3k isn't worth risking your job over. $30k or $300k might be.

Re:a couple grand?

[Achromatic1978]

Actually, you would be wrong... Google actually pays a fair bit less than many other tech companies, thinking that their 'rep' is some salary too. They used to rely on benefits, too - the cafeterias, etc... but have been cutting back drastically on those.

Re:a couple grand?

[stms]

Yes but I would still hold my point that Google has a lot of leeway when it comes to raising the bounty before that becomes an issue.

Re:a couple grand?

[ProfessionalCookie]

I'm sure it reduces the criminal payout to know that the rest of the world is competing to find and fix the same bug. IE on the other hand...

Re:a couple grand?

[bm_luethke]

Certainly, without there being some that play nice there wouldn't be the terms "white hat" and "black hat" hackers - they would all be black hat.

It is kinda a Prisoners Dilemma - while yes you *could* get more if you you found the right buyer you have to *find* that buyer before the bug is found and patched. It isn't a remotely legal trade in most places so its not like they are going to advertise and chances are the people who would find this type of bug aren't in the day to day business of this type to know who would either. Really, how many of the security violations have been used for *monetarily* advantageous usages? Annoying exploits for sure, but something worth thousands of dollars to take advantage of? I suppose one could truthfully say the really good ones you do not hear about (and I'll buy that - the truly good black-hat hackers you do not hear about either), but I can't imagine any hack worth many thousands to *purchase* (with all the risks involved of law enforcement with Honey Pots) not being known to so few that a website with hundreds of thousands of posters doesn't get *one* post with it.

So you could spend months trying to find that big payout only to get arrested or you could get thousands for going through legitimate channels. Further if you found it chances are someone else will/can too and will report it for the thousands of dollars. Hmm, it's kinda like saying if you rat your partner out they get the death penalty and you get nothing, however if you both say nothing you both get the death penalty unless you can get your jury to all be ex cons - hard choice there isn't it? (yea a really simple "prisoner's dilemma" as it isn't really a dilemma what to take - both remaining silent doesn't get you anything).

As long as the money payed out for bugs is comparative low it is a brilliant business move, not much to loose and a great deal to gain. I bet on a per-bug metric they are MUCH cheaper to do this than pay a full QA team to test *and* more effective. Lots of unpaid testers out there. Now if they are riddled with simple to catch bugs not so much, but once they are in a hard to find mode for bugs - quite cheap and effective.

Re:a couple grand?

The payment for a single bugbounty cannot be very high. It must somehow be related to the salaries of their employees, to keep it fair.

Re:a couple grand?

[Jurily]

I have full control over what I do.

And I'm Santa Claus.

Re:a couple grand?

[Psychotria]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Citation please. I find it hard to believe that a Google employee (or an employee of any company) would find themselves out of a job because of broken code.

Re:a couple grand?

[interkin3tic]

Santa, I'd like some self control this year for christmas.

Re:a couple grand?

They might do it if they can prove it was intentional. But how can they prove this beyond any doubt ?

Re:a couple grand?

Do you work there?

My offer from Google was within 5k of the offers from Microsoft, Amazon and Apple. Consulting companies like Booz Allen were quite a bit lower with worse benefits packages. The big financials were even worse, often 20k below in salary compared to the big companies I listed.

Google pays engineers quite well. From what I hear, non-engineers are not as lucky.

Re:a couple grand?

He's saying if they're caught doing it to cash in on the reward for fixing it. Do you really find that so hard to believe that someone would be fired for damaging the company's product to defraud them?

Re:a couple grand?

It's not the broken code that will get them kicked out of the job, it would be the dishonesty of ripping the company off. Most (read ALL) do not like or tolerate dishonest employees.

learn your colloquialism

in the same boat

Re:learn your colloquialism

[Suki+I]

Such a USAian AC aren't you?

Re:learn your colloquialism

Why is it some people are so resolute in their ignorance, they get indignant? At least in the USA stupidity is considered simply a freedom, not a right.

Re:learn your colloquialism

[Suki+I]

Some of us enjoy a little extra flavour in our language than others.

Re:learn your colloquialism

[jamesh]

how about you make like a tree and get the hell out of here.

Re:learn your colloquialism

[twidarkling]

Bollocksing up a common phrase by randomly switching in words is not "flavouring the language." It's "clouding the issue." Use the right phrase, with the right words, or don't use the phrase. You're not avant garde, you're not clever. You're uneducated. If you're ESL, that's one thing, but then you don't claim you're enjoying flavour in your language. Pretty sure you're just a tool.

Re:learn your colloquialism

[shish]

how about you make like a tree and get the hell out of here.

Speaking of geek phrases -- "Make like freenode and split"

Re:learn your colloquialism

...nor a crime. Yet.

What about it, lawmakers?

Re:learn your colloquialism

[AikonMGB]

I agree, maybe they should make like a tree and get the fcuk out of here ;)

Aikon-

Re:learn your colloquialism

If she is made out of wood we can build a bridge out of her.

Re:learn your colloquialism

[commodore64_love]

I'm sorry.

I didn't mean to step on your lawn nazi. He's a cute little lawn ornament.

31373 is my favorite Commodore=64 game. I love blowing things up in my first-person spaceship, and fighting Thargoids.

Re:learn your colloquialism

Tell that to Larry David or Billy Shakespeare.

Re:learn your colloquialism

[Abstrackt]

A little hot under the colander eh?

Re:learn your colloquialism

Seeing if he floats should put that fire out.

Re:learn your colloquialism

That's not what either of the did.

Shakespeare in particular made up new phrases and new words. He actually was flavouring the language. What he didn't do is take a commonly used phrase, and then replace two words with near-synonyms in a way that makes the phrase harder to recognize and understand while adding no value.

Do no evil...

...but do no good?

So what?

[Lord+Kano]

Let me know when they figure out how to add a menu bar.

LK

Re:So what?

[Lord+Kano]

Hey, there is no -1 Disagree moderation.

LK

Re:So what?

[Lord+Kano]

I have plenty of karma. Chrome is a horrible application.

LK

:a couple grand?

I am one of the bad guys :)

I assure you the bugs are worth more. The problem with those who get caught is they are lazy. You have to make personal security priority #1. Most of those in the business don't spend the time and effort to protect themselves from the inevitable risk they are taking. If they keep it up long enough those risks catch up to them. People are stupid. You can't take millions upon millions of dollars without taking some precautions. Hiding doesn't work. You have to stop any one particular thing they might investigate before you get caught to reduce risk and even then make it impossible to discover the problem you created so they can't start to investigate before you have the money in hand. This way they can't track the money back to you. There are ways to make money untraceable. If you don't keep up one activity long enough they won't catch up with you. Deviation is key. The more time they have to learn about how you work they can learn about you the more likely they will catch you. If you deviate frequently they won't be able to connect the dots to catch you. Deviate and they loose your trail. If they don't catch up you still have a problem because the government will be suspicious of anybody with money and no reported source of income. You got to create fake entities to sell something intangible to generate profit and give the appearance of a legitimate business of which you can report to the IRS that'll explain the income you've generated.

6month disclosure

[munky99999]

There's a 6 month disclosure timing. They likely reported and got paid months ago for these.

"ELEETO"?

[Bitmanhome]

WTF does that mean?

Re:"ELEETO"?

[inflamed]

It's probably an incremental title - the first (most) elite is elite 0, the penultimate h4x0r is elite 1, and so on... It's a privilege to be the best - a single digit is easier to type than a half dozen are, and 0 falls on the underused right-hand side of the qwertyboard.

Re:"ELEETO"?

It's in spanish

Re:"ELEETO"?

I've used l33t0 before and know what that means, but what is this "ELEETO" you speak of, something for EMACS, perhaps?

Re:"ELEETO"?

[ryzvonusef]

Don't be daft, it's obviously Japanese, can't you spot the syllabaries? :D
http://ja.wikipedia.org/wiki/%E3%82%A8%E3%83%AA%E3%83%BC%E3%83%88

Re:"ELEETO"?

You're clearly not eleeto enough to know.

Think of it this way: those who eleeto cannot explain, those who don't cannot understand.

$13.37

[antdude]

Yesterday, my employer's stock was at $13.37 and I laughed. No one else got the joke. :(

Re:$13.37

That's because they bought at $313.37

Re:$13.37

[Zarf]

They should sell before it hits $4.20

Re:$13.37

[antdude]

That would be nice, but leet is cool too.

Blocking users from its bug database

[klui]

Why would Google do that if its updates occur frequently due to they being deltas and of smaller sizes? Would it not make any difference since users are most likely patched up already? I can understand for users who are using the portable versions--like me--unless there are more portable users than there are who install the regular app.

1337

[Diantre]

The maximum amount paid for a bug is 1,377$ ? I guess someone at google played too much CS.

Cheap ass bastards

[tsotha]

Ten grand? Is that a typo?

If I find an exploit I'm gonna sell it to the Russian mob. And not for no ten grand.

Re:Cheap ass bastards

[tsj5j]

Good to see we're moving towards an amoral society where money speaks all. Go capitalism!

Re:Cheap ass bastards

[tsotha]

No, if it was capitalism Google would pay something reasonable. This is some kind of commie corporatism.

Chrome versioning madness

Why is Chrome version 6 already in beta. Yes, it's fast, but other than that? Meh. Any other company would call it version 1.0.

Google is playing catchup with version numbers.

Imagine how much their work would have been worth

[hyades1]

...if your basic EULA didn't make most average users believe they had no right to sue somebody who yanked your pants down and offered their ass for sale to the highest bidder.

I guess none of them were 1337 enough.

[Arancaytar]

...

Bugs for cash

[cjjjer]

The reason that Google and alike are offering "bounties" on bugs is that the people behind malware do the same thing. They offer cash for exploits, not hard to find them either, just use a different search engine other than Google.

This is a very good and smart policy.

[BlueCoder]

Of course it can't compete with the black market though but it's a good first step.

Though it broke SSL somehow

[chriskessel]

And ever since the pushed out fixes, I can't connect to a bunch of SSL sites (such as mail.google.com). Apparently the fixes broke the ability to access SSL sites from behind a corporate firewall in some cases. The fixes made Chrome nearly useless to me :(.

I'll Pay $3,133.71...

[tingentleman]

...to anyone who can identify an exploit that let's me introduce another 5 exploits