Google Patches 10 Chrome Bugs, Pays Out $10K

CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."

Money talks.

[pspahn]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Re:Money talks.

[Suki+I]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

Re:Money talks.

[jamesh]

Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

My guess would be because some people like to complain.

Re:Money talks.

Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.

Re:Money talks.

If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

"Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people performing in this regard are irrelevant -- hiring the best bricklayer in town to setup your internet connection is not meritocracy at work. It's actually a form of waste.

While I don't condone obscurity as a rule, it certainly does have practical benefits. Why not reap the benefits of obscurity where it is preserved, and openness where it is exposed? Practical moderation succeeds where ideological extremism fails. Paying people to dig up exploits before they're exploited is the same fallacy as using DRM to prevent "lost sales". Not only is the fix inconclusive, but by having it out there you know you've actually caused a nonzero number of machines to become compromised, and by offering a cash reward for these activities you're only creating more such incidents. Just as people refuse to buy DRM and pirate instead, leading to a circular argument for more DRM, there is no breakpoint at which the number of exploits will decrease; when such a thing happens it will merely lead to convincing the institutions that they need to offer more money (which was indeed another aspect mentioned in the story), which in turns raises more interest and turns out more exploits, and so on.

In the end, a few people get a little bit of money, and a lot of people get hacked. Does that really sound like a meritous system to you?

Re:Money talks.

I don't agree 100% with what the guy was saying, but this is what I think he was getting at.

Chromium is an open source browser. Take current release. Take previous release. Diff. Derive any exploits. Construct drive-by attack for the many who haven't yet/never will update.

On balance, though, I think the bug bounties are the way to go.

True Geeks at Heart

[UNHOLYwoo]

", which the company set at $3,133.70 last month" Great, Easter eggs beyond the code.

Re:True Geeks at Heart

[wen1454]

31337 = eleet. It took me like 10 minutes to figure that out. I guess that proves I am not a geek.

Re:a couple grand?

[Suki+I]

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Some of us like to play nice. Not saying I am in the category of the people who got those rewards, of course.

Re:a couple grand?

[Alphanos]

It has to be a careful balance to set bounties like this at the right amount. The information and fixes are valuable, yes. However, If they set the payout too high, it could actually encourage their employees to write buggy software in the hopes of cashing in (i.e. through a friend or family member).

Re:a couple grand?

[Darkness404]

Yeah, but Google is reputable, you -know- that their $3K is going to be genuine. Good luck suing J. Random Blackhat when the money he pays you turns out to be stolen/fraudulent or never arrives.

Re:a couple grand?

[JackCroww]

But there is an additional potential payoff. If someone finds enough bugs, I'm sure there's a chance that they could be offered a job by Google, which would most likely payoff both monetarily and socially/job security more than selling the bug details to "certain other parties".

Re:a couple grand?

[Darkness404]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Re:a couple grand?

[WillDraven]

I think that's exactly the GP's point. $3k isn't worth risking your job over. $30k or $300k might be.

Re:a couple grand?

[Achromatic1978]

Actually, you would be wrong... Google actually pays a fair bit less than many other tech companies, thinking that their 'rep' is some salary too. They used to rely on benefits, too - the cafeterias, etc... but have been cutting back drastically on those.

"ELEETO"?

[Bitmanhome]

WTF does that mean?

Re:learn your colloquialism

[twidarkling]

Bollocksing up a common phrase by randomly switching in words is not "flavouring the language." It's "clouding the issue." Use the right phrase, with the right words, or don't use the phrase. You're not avant garde, you're not clever. You're uneducated. If you're ESL, that's one thing, but then you don't claim you're enjoying flavour in your language. Pretty sure you're just a tool.

Re:a couple grand?

[Jurily]

I have full control over what I do.

And I'm Santa Claus.

Re:a couple grand?

[Psychotria]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Citation please. I find it hard to believe that a Google employee (or an employee of any company) would find themselves out of a job because of broken code.

Re:a couple grand?

[interkin3tic]

Santa, I'd like some self control this year for christmas.