Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

← Back to Stories (view on slashdot.org)

Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

Posted by samzenpus on Wednesday September 15, 2010 @08:47AM from the $400-flaw dept.

Trailrunner7 writes "It seems Google's bug bounty program is paying some nice dividends, for both sides. Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high. Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac."

114 comments

Min score:

Reason:

Sort:

fp? by nomorecwrd · 2010-09-15 08:50 · Score: 1, Funny

I'm posting from Chrome... should I report a bug if I do not get first post due to latency?
why are the bounties so low? by Surt · 2010-09-15 08:53 · Score: 2, Insightful

Surely Google could easily afford 10 (maybe even 100) times as much, and that would undoubtedly get a lot more people interested in looking. If they want to win the security war, they should be ramping up the bounties each release.

--
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
1. Re:why are the bounties so low? by Halifax+Samuels · 2010-09-15 09:03 · Score: 2, Interesting
  
  Yes, but what if they paid 10-100 times more and ended up having to pay for 10-100 times more valid bounties due to the increased popularity? It wouldn't look good for them if they had to back down on paying what they promised due to more volume than they intended.
  
  Not to mention this would create incentive for employees to try intentionally leaving bugs in the code and telling friends how to fix them, trying to wring bounty money from their employer.
2. Re:why are the bounties so low? by DragonWriter · 2010-09-15 09:06 · Score: 2, Interesting
  
  Surely Google could easily afford 10 (maybe even 100) times as much, and that would undoubtedly get a lot more people interested in looking.
  Probably they are at the level that Google feels maximizes the cost:benefit ratio.
  
  If they want to win the security war, they should be ramping up the bounties each release.
  I'm not sure they view this as a "security war" that they need to "win", but even if it was, all they need to do is stay ahead of the competition. What are Mozilla, Microsoft, Apple, or Opera doing in this area that suggests that Google's bounties are too small?
3. Re:why are the bounties so low? by Surt · 2010-09-15 09:09 · Score: 1
  
  At 10x$400 = $4K per bug, 10*10 = 100 bugs = $400,000 in bounties. Trivial to a company with a profit margin in the 3 billion range.
  At 100x$400 = 40K per bug, 10*100 = 1000 bugs = $40 million in bounties. Real money, but still affordable.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
4. Re:why are the bounties so low? by Surt · 2010-09-15 09:12 · Score: 2, Interesting
  
  They certainly should view it as a security war, security has been the primary selling point for chrome from the beginning. If they aren't the best in this department, what would make anyone want to use chrome vs any of the other browsers that are superior in so many other ways?
  And their competitors are paying comparable bounties. Google staying marginally ahead in bounties does not reassure me that they will keep their position.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
5. Re:why are the bounties so low? by Sinistar2k · 2010-09-15 09:12 · Score: 3, Informative
  
  Mozilla pays $3K for critical security bugs.
  http://www.mozilla.org/security/bug-bounty.html
6. Re:why are the bounties so low? by Surt · 2010-09-15 09:17 · Score: 1, Redundant
  
  Part of my point was that Google sells Chrome as the 'secure' browser. They should put their money where their mouth is, instead of suggesting via these bounties that their browser is no better than Mozilla, which doesn't have the backing of a company with billions in profits.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
7. Re:why are the bounties so low? by Cinder6 · 2010-09-15 09:30 · Score: 1
  
  Superior is debatable. Everyone I know who uses Chrome (including myself) does so because they prefer it, not because of any added security features.
  
  --
  If you can't convince them, convict them.
8. Re:why are the bounties so low? by lgw · 2010-09-15 09:34 · Score: 1
  
  You'd want to keep the bounties low enough that the Google employees working on Chrome aren't incented to create a backchannel (there was a good Dilbert about this, long ago).
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
9. Re:why are the bounties so low? by Surt · 2010-09-15 09:54 · Score: 1
  
  A back-channel would be pretty tough to create and not get caught. At $40k it MIGHT be worth the risk of their job to a googler (if they were pretty stupid), but at $4k it would almost certainly not be worth the risk.
  On your sig: A 121K debt per taxpayer sounds like a lot until you think about paying that off over a 30-40 year working lifetime. Plus, you know that's going to be heavily reduced by inflation. 2015-2025 we're probably going to have 10-15% inflation per year, which will turn that into only 46K or less in today's dollars. Over a 40 year working life, that's like 1K extra in taxes per year. Call me when it hits 10K in extra taxes per year.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
10. Re:why are the bounties so low? by DragonWriter · 2010-09-15 09:54 · Score: 3, Interesting
  
  They certainly should view it as a security war, security has been the primary selling point for chrome from the beginning.
  The primary selling point for Chrome, at the beginning, was JavaScript speed, which is why most of the promotional effort focussed on the V8 engine and its speed.
  
  If they aren't the best in this department, what would make anyone want to use chrome vs any of the other browsers that are superior in so many other ways?
  I don't think Google is all that concerned over whether or not Chrome is the leading browser. They don't sell Chrome.
  They do care if common browsers behave in ways which make web content and services using open standards attractive to users, because Google's core business is indexing that kind of content, analyzing it, and selling advertising that leverages services built on top of services using the indexes built from that content.
  Chrome is largely a tool to get other browser manufacturers to adopt features that make it attractive for content developers to use formats and protocols that are conducive to Google's business.
11. Re:why are the bounties so low? by rm999 · 2010-09-15 09:59 · Score: 2, Insightful
  
  Chromium is a gift from Google: it is open source under a permissive license. The security of the product, and the prizes Google uses to maintain that security, are the icing on the free cake. We shouldn't complain about it.
  Also, the fact that they are finding bugs means people are looking for them, so it seems they found a good price point. Perhaps the prestige of finding a bug in a major piece of software is worth more than 400 dollars.
12. Re:why are the bounties so low? by Peach+Rings · 2010-09-15 10:24 · Score: 1
  
  4K for 10 vulnerabilities is pretty low though. Find a critical vulnerability every 2 workdays and you might have a low-range tech salary.
13. Re:why are the bounties so low? by DragonWriter · 2010-09-15 10:45 · Score: 2, Insightful
  
  Part of my point was that Google sells Chrome as the 'secure' browser.
  
  The problem with that point is that it is wrong on a couple of levels.
  First, Google doesn't sell Chrome, it gives it away free.
  Second, Google promotes Chrome primarily as a fast, free, and simple browser. The main Chrome page doesn't mention security at all. The Learn More page linked from the main page lists security after speed and simplicity.
14. Re:why are the bounties so low? by Surt · 2010-09-15 11:00 · Score: 1
  
  By sell, I mean convince people to use so that they can gather more statistics to sell to advertisers.
  On the other point, it may well be that Google has given up on security as a main selling point, which would make for one substantially reduced reason to use it.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
15. Re:why are the bounties so low? by Anonymous Coward · 2010-09-15 11:01 · Score: 0
  
  I can't believe there's somebody here on Slashdot saying that a company should "ramp up" its outsourcing. Because that's what this is. Instead of hiring internal QA to find these things, they pay dirt to thousands of faceless workers -- in fact, they pay these workers absolutely zero dollars unless they actually find something.
  Why hire a local worker when you can outsource? And why pay somebody anything at all, when you can pay them nothing? Congrats Google, you've managed to snow somebody with a 5 digit user id on Slashdot.
16. Re:why are the bounties so low? by Skim123 · 2010-09-15 11:15 · Score: 1
  
  On your sig: A 121K debt per taxpayer sounds like a lot until you think about paying that off over a 30-40 year working lifetime. Plus, you know that's going to be heavily reduced by inflation. 2015-2025 we're probably going to have 10-15% inflation per year, which will turn that into only 46K or less in today's dollars. Over a 40 year working life, that's like 1K extra in taxes per year. Call me when it hits 10K in extra taxes per year.
  121K debt per taxpayer is what the national debt is right now. Your whole formula presupposes that the debt won't rise another penny from now through the next 30-40 years. Is that at all likely? The GAO estimates Social Security and Medicare obligations alone will cost us roughly 12 TRILLION in borrowed dollars (in total) between now and 2040 (not adjusted for inflation). And have you seen the proposal for the upcoming fiscal year? We'll be running a $1.6 TRILLION dollar deficit.
  We have reason to be worried about the US deficit and debt. There will certainly be a day of reckoning in our lifetimes.
  
  --
  I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
17. Re:why are the bounties so low? by DragonWriter · 2010-09-15 11:37 · Score: 1
  
  On the other point, it may well be that Google has given up on security as a main selling point
  Speed and simplicity and speed* were always the heavily promoted features of Chrome. Almost all of the launch publicity focussed on the V8 JavaScript engine and its speed, and the rest was mostly on the minimalist, get-out-of-the-way UI.
  * Yes, I mean that exactly the way I wrote it.
18. Re:why are the bounties so low? by lgw · 2010-09-15 11:53 · Score: 1
  
  On your sig: A 121K debt per taxpayer sounds like a lot until you think about paying that off over a 30-40 year working lifetime. Plus, you know that's going to be heavily reduced by inflation. 2015-2025 we're probably going to have 10-15% inflation per year, which will turn that into only 46K or less in today's dollars. Over a 40 year working life, that's like 1K extra in taxes per year. Call me when it hits 10K in extra taxes per year.
  How many people do you know who can pay off say $40K in credit-card debt given their entire life to do so (without a housing bubble to hide things)? I managed it, but some real austerity was required. I fear some real austerity will be required for the nation as a whole.
  Also, that debt number is going up faster than your $1K/year right now! (Check back to that link from week to week - it's frankly frightening). Talk of paying it down is a bit silly if we can't control ourselves even to the point of keeping it level. I say "we" becuase this is still a (representative) democracy - the government only mirrors our collective lack of self-control.
  (And you can't inflate your way out of short-term debt, you'll just have to borrow at the new, higher rates if you can't pay it off, and long term rates will jump like crazy if your intent to inflate your way out becomes apparent, so you'll only have short-term borrowing available. It's already $10K per year, and the Laffer curve probably prevents us from raising tax revenues by that much.)
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
19. Re:why are the bounties so low? by lavacano201014 · 2010-09-15 12:44 · Score: 1
  
  security has been the primary selling point for chrome from the beginning
  The primary selling point to me for Chrome was Firefox took all of 90 seconds to load. I assume this is because it was doing something that I probably wanted it to do (like cache images for various websites I go to), but I got tired of waiting a minute and a half longer to check my email.
  
  --
  A wise man once said, "Where is my other quotation mark?
20. Re:why are the bounties so low? by zach_the_lizard · 2010-09-15 12:56 · Score: 0
  
  Chrome also gets advertisement for Google, considering it is Google branded and has Google search by default.
  
  --
  SSC
21. Re:why are the bounties so low? by maxume · 2010-09-15 13:10 · Score: 1
  
  They are trying to increase the number of severe vulnerabilities that they close, not trying to reassure you that they will keep their position.
  
  --
  Nerd rage is the funniest rage.
22. Re:why are the bounties so low? by adamdoyle · 2010-09-15 13:35 · Score: 1
  
  4K for 10 vulnerabilities is pretty low though. Find a critical vulnerability every 2 workdays and you might have a low-range tech salary.
  If we approximate "every 2 work days" to be "2 days a week" (which is being conservative), then we get:
  (2 workdays / week) x (52 weeks / year) = (104 workdays / year) x ($4,000 / workday) = $416,000 / year
  That's a low-range tech salary? Clearly I'm getting robbed...
23. Re:why are the bounties so low? by adamdoyle · 2010-09-15 13:43 · Score: 1
  
  I'm an idiot... disregard my above post (it was $400 per bug, not $4000). I need to learn to read.
24. Re:why are the bounties so low? by Surt · 2010-09-15 14:06 · Score: 1
  
  There will absolutely be a reckoning, and it will involve massive inflation, for which I am personally well positioned.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
25. Re:why are the bounties so low? by Skim123 · 2010-09-15 14:15 · Score: 1
  
  There will absolutely be a reckoning, and it will involve massive inflation, for which I am personally well positioned.
  Care to elaborate? Did you borrow a lot of money at a locked in rate to buy gold, per chance?
  
  --
  I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
26. Re:why are the bounties so low? by Toy+G · 2010-09-16 00:47 · Score: 1
  
  Chrome is largely a tool to get other browser manufacturers to adopt features that make it attractive for content developers to use formats and protocols that are conducive to Google's business.
  ... and to enable Google's customers to use Google revenue-generating services (like GApps) if other browsers fail, which is why they also developed the IE engine replacement.
  
  --
  -- Let's go Viridian.
27. Re:why are the bounties so low? by Surt · 2010-09-16 02:32 · Score: 1
  
  LOL.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
28. Re:why are the bounties so low? by Surt · 2010-09-16 02:44 · Score: 1
  
  Almost everyone could pay off a 40k credit card debt given either of two things the US government has:
  1) interest rates in the <6% range.
  2) the power to print money.
  Finally, it's nowhere near 10k in taxes per year. You lose the argument with me when your numbers diverge into fantasyland.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
29. Re:why are the bounties so low? by Surt · 2010-09-16 02:45 · Score: 1
  
  Not gold, but yes, borrowed a lot to buy assets that have held a historically 'fixed' price relative to inflation.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
30. Re:why are the bounties so low? by n0-0p · 2010-09-16 02:52 · Score: 1
  
  It's not $400 per bug. Many of the bugs were discovered by Google employees, who don't get rewards. That pushes the average down. However, it also makes Google possibly the only company that appears to report all vulnerabilities they internally discover. MS doesn't report any internally discovered vulnerabilities, and even Mozilla will lump numerous internal discoveries under a single bug ID and CVE.
31. Re:why are the bounties so low? by Anonymous Coward · 2010-09-16 02:57 · Score: 0
  
  And Google pays $3113.70 for a critical vulnerability. The difference here is that a critical vulnerability on Chrome is code execution outside the sandbox, which is much rarer on Chrome than the equivalent on Firefox.
32. Re:why are the bounties so low? by Surt · 2010-09-16 05:12 · Score: 1
  
  Redundant? Thanks for checking the posting order mods.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
33. Re:why are the bounties so low? by Surt · 2010-09-16 05:16 · Score: 1
  
  Yikes, that's crazy. Firefox starts in under two seconds for me ... I wonder if you had a bad plugin. Not really fair to compare a configured firefox to a raw chrome.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
34. Re:why are the bounties so low? by lgw · 2010-09-16 05:40 · Score: 1
  
  Finally, it's nowhere near 10k in taxes per year. You lose the argument with me when your numbers diverge into fantasyland.
  My apologies - it always pays to do the math first. We would need to raise takes by $12k in taxes per year, not $10K, just to break even. Actually paying down the debt would require additional increases, of course. But I'm not sure we could raise revenue that much farther - tax revenue is already 31% of GDP, and while we're not at the peak of the Laffer curve, we're close.
  At this point, to balance the budget, it's: Defence, Social Security, Medicare - pick one.
  
  1) interest rates in the <6% range.
  2) the power to print money.
  You do realize we only have the one if we dont use the other? If we're percieved as deliberately inflating the currency, interest rates will skyrocket. It might help your personal debt if the government inflates the currency, but it can't help the government's debt (except for really long term stuff).
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
35. Re:why are the bounties so low? by lgw · 2010-09-16 05:46 · Score: 1
  
  I hope you don't think we've hit the bottom of the real-estate market. Fine wines maybe? Collectables? Seems much safer to just buy interest rate derivitives, at least that way your losses are limited to 100%.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
36. Re:why are the bounties so low? by Skim123 · 2010-09-16 08:28 · Score: 1
  
  Not gold, but yes, borrowed a lot to buy assets that have held a historically 'fixed' price relative to inflation.
  And those assets would be...
  
  --
  I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
37. Re:why are the bounties so low? by Skim123 · 2010-09-16 08:32 · Score: 1
  
  I hope you don't think we've hit the bottom of the real-estate market. Fine wines maybe? Collectables? Seems much safer to just buy interest rate derivitives, at least that way your losses are limited to 100%.
  I wager he's talking real estate. Probably been snatching up lower end homes to rent out to the previously home owning subprime market. That would be my guess. I really hope he hasn't gone into debt to buy collectibles or fine wines!
  Speaking of real estate, here's an interesting aerial photograph from a Florida subdivision that was built during the 1970s land boom. No houses were ever built, just sold lots. Today, trees are growing between cracks in the roads.
  
  --
  I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
38. Re:why are the bounties so low? by Surt · 2010-09-16 08:59 · Score: 1
  
  Some property, some diversified precious metals funds. I bought property at foreclosure, at about 30% of market, so I can absorb about 50% more loss in the market before I'd resell at a loss. In any case the rents I can get are going for more than mortgage and property tax. That buy is also leveraged which is nice. The diversified precious metals you can get pretty much anywhere, I'd just avoid any that have significant holdings in gold since (IMO) gold (and to a lesser extent, also silver) is way overvalued right now.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
39. Re:why are the bounties so low? by Surt · 2010-09-16 13:13 · Score: 1
  
  Flamebait mods? Who am I baiting here?
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
40. Re:why are the bounties so low? by lavacano201014 · 2010-09-16 16:02 · Score: 1
  
  Well Flash has a history of giving me issues, so I'm wondering if it was taking forever because it was trying to get Flash all the way loaded first.
  
  Whereas with Chrome I assume it does what it does with all other things and loads Flash in a seperate process. Sometimes half my Chrome extensions aren't quite loaded up yet when the first tab gets ready to go, so that could be related to how things speed up.
  
  --
  A wise man once said, "Where is my other quotation mark?
41. Re:why are the bounties so low? by Anonymous Coward · 2010-09-16 21:48 · Score: 0
  
  Part of my point was that Google sells Chrome as the 'secure' browser. They should put their money where their mouth is, instead of suggesting via these bounties that their browser is no better than Mozilla, which doesn't have the backing of a company with billions in profits.
  Mozilla was/will be backed by Google with appr. US$56.8 million 2011.
Print preview! One feature that I miss by bogaboga · 2010-09-15 08:54 · Score: 1, Troll

Tell me about Chrome when print preview is included. The trouble is that inclusion of this [basic] feature in Chrome will introduce yet another set of bugs. Scary! Come on Google.
1. Re:Print preview! One feature that I miss by ickleberry · 2010-09-15 08:56 · Score: 1
  
  Because Google believes that printing is a sinful activity which is bad for the environment and that you should just share it through Google Docs and provide them with more data to mine?
2. Re:Print preview! One feature that I miss by tepples · 2010-09-15 09:26 · Score: 1
  
  Because Google believes that printing is a sinful activity which is bad for the environment
  So is rolling diesel trucks to install broadband everywhere, including currently unprofitable rural areas.
3. Re:Print preview! One feature that I miss by Yvan256 · 2010-09-15 09:37 · Score: 2, Informative
  
  With Mac OS X, you can print directly to a PDF file. And we don't need anything from Adobe to read those files either. From a user point of view, a PDF is no different than a PNG or a JPEG.
4. Re:Print preview! One feature that I miss by DragonWriter · 2010-09-15 09:47 · Score: 1
  
  Because Google believes that printing is a sinful activity which is bad for the environment and that you should just share it through Google Docs and provide them with more data to mine?
  Chrome supports printing, it just doesn't have print preview. While I miss it sometimes, web pages tend to be (even with the differences between paged and screen media) WYSIWYG enough that print preview isn't a big deal to me. Obviously, it is for some people though.
5. Re:Print preview! One feature that I miss by geekoid · 2010-09-15 09:53 · Score: 1
  
  Depends.
  If the broad band means people need to travel less, then it will probably be a gain.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
6. Re:Print preview! One feature that I miss by geekoid · 2010-09-15 09:54 · Score: 1
  
  That's the same with Windows, and has been for years.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
7. Re:Print preview! One feature that I miss by Anonymous Coward · 2010-09-15 10:03 · Score: 0
  
  That's the same with Windows, and has been for years.
  Yeah, but with a Mac, you don't need to install CutePDF to do it.
8. Re:Print preview! One feature that I miss by knarf · 2010-09-15 10:03 · Score: 2, Insightful
  
  With Linux, you can print directly to a PDF or PS file. And we don't need anything from Adobe to read those files either.
  This has been possible for years and years and years, long before St. Jobs had the revelation which led him to base his OS on a unix.
  Ghostscript - which enables you to do these things - was first released in 1986. Max OS X was first released in 2001...
  
  --
  --frank[at]unternet.org
9. Re:Print preview! One feature that I miss by Missing.Matter · 2010-09-15 10:33 · Score: 1
  
  Look at what Microsoft had to do to get print to PDF working in Office. It was originally included by default, then became an optional download because Adobe had a problem with it. Imagine what kind of objections Adobe would raise if they integrated it into Windows.
10. Re:Print preview! One feature that I miss by Anonymous Coward · 2010-09-15 11:15 · Score: 0
  
  You can happily have it through an extension.
  I'd rather not have my interface bogged up with useless crap i wouldn't use.
  Same goes for those who want a "Send this" / "Email this" added. Possibly the worst feature ever to be included in a context menu.
  "OH HEY, WANT TO SAVE THIS IMAGE? BETTER YET, LET'S EMAIL IT TO ALL YOUR MSN BUDDIES!"
  So glad they haven't added it by default and instead allowed for people to add their own context menu items from extensions.
11. Re:Print preview! One feature that I miss by Stooshie · 2010-09-16 00:37 · Score: 1
  
  Bet you're glad that Adobe intentionally didn't patent publishing to a pdf format precisely in order to allow this kind of thing. That's real openness
  
  --
  America, Home of the Brave. ... .and the Squaw.
12. Re:Print preview! One feature that I miss by Yvan256 · 2010-09-16 02:58 · Score: 1
  
  Yes I'm glad. But then again we don't have idiots trying to make "PDF websites" like we have with Flash.
13. Re:Print preview! One feature that I miss by Stooshie · 2010-09-16 03:28 · Score: 1
  
  Sites entirely written in flash are fine if they are RIAs. I have seen some "PDF websites" though and, yes, they do suck big time!
  
  --
  America, Home of the Brave. ... .and the Squaw.
Re:Macs by Anonymous Coward · 2010-09-15 08:54 · Score: 0

It isn't an Apple product.
Thankless job indeed... by RobinEggs · 2010-09-15 08:55 · Score: 2, Insightful

So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?

The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting
1. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 09:03 · Score: 0
  
  The share price of a stock means nothing because it is based off the number of shares they decided to print off.
  The market capitalization ($153 billion) is the number you want to throw around.
2. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 09:10 · Score: 1, Interesting
  
  So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?
  The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting
  There really is no pleasing some people.
  If Google executes a stock split, so that there are ten new shares for each old one, the price will change from $480 to $48. WIll that make you happy?
3. Re:Thankless job indeed... by zlogic · 2010-09-15 09:11 · Score: 3, Insightful
  
  Chrome is an open source project, except that some of it is sponsored by Google. So hacking Gnome or the Linux kernel for free is OK (and by the way a lot of Linux kernel code was written by fulltime employees of Red Hat and other companies, just like Chrome) but fixing bugs for Chrome is not? Think of it as Google's Summer of Code, except on a smaller scale.
4. Re:Thankless job indeed... by DragonWriter · 2010-09-15 09:11 · Score: 3, Informative
  
  Thankless job indeed...
  Um, I think you are confused.
  People whose job it is to find bugs in Google software are Google employees. Their pay is not, I would assume, simply "by the bug", and I suspect that their pay is quite good.
  Google happens to also give out bounties -- which many competitors don't -- as a kind of "thank you" to people who voluntarily report security bugs to Google. I'm not sure why you think that the standard for whether this is something nice or an "insult" is whether the bounty for the average bug is greater or less than the price of one share of Google stock.
5. Re:Thankless job indeed... by natehoy · 2010-09-15 09:15 · Score: 2, Insightful
  
  Personally, for FREE software, I'd be happy just to get the damned bug acknowledged and fixed in a jiffy, and maybe have my name in lights for doing the legwork. Any payment should be considered a rather nice bonus.
  No matter how small or insulting it is, it's still 100% more than Microsoft pays for bug reports, and Microsoft's release schedule on the fixes is downright glacial compared to Google or Firefox. Assuming they don't outright ignore you or threaten to sue you for violating the EULA.
  Which model is the most insulting again?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
6. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 09:15 · Score: 1, Interesting
  
  If you want to see if the reward is priced appropriately you should compare the hourly pay of a quality engineer to the amount of time it takes them to find a bug on average. How many shares of stock you can buy is as irrelevant as saying "it's not even enough to buy one macbook!".
7. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 09:20 · Score: 0
  
  I believe the whole point of this is that they ARE thanking people - what they are doing for Google is not a job (in the sense that they are not a true employee of Google...minus Chris Evans, who actually works for Google), it is a hobby.
  This is a positive thing that hopefully becomes a trend.
8. Re:Thankless job indeed... by Achromatic1978 · 2010-09-15 09:21 · Score: 1
  
  No matter how small or insulting it is, it's still 100% more than Microsoft pays for bug reports, and Microsoft's release schedule on the fixes is downright glacial compared to Google or Firefox. Assuming they don't outright ignore you or threaten to sue you for violating the EULA.
  Nice FUD. Microsoft issues patches monthly, and more frequently, out-of-band for critical security fixes.
  Please, point to the last instance where MSFT threatened to sue for violating the EULA by reporting a bug in IE.
  Go on, I'm waiting...
  Borderline troll, I think.
9. Re:Thankless job indeed... by melted · 2010-09-15 09:23 · Score: 2, Interesting
  
  What "lavish" benefits are you talking about? Lunches? Lunches pay for themselves because they all of a sudden take 25-30 minutes instead of an hour or more. At $100+ (sometimes way more than that) per hour it just makes sense for a company to pay for lunches. Buses to and from work? Umm. OK, I'll give you that (even though Microsoft also has buses). On-site gym that hardly anyone goes to? What else?
  Google is actually pretty bare bones on the inside. They hire three good engineers where other companies would hire 10 passable ones, and give them twice as much work. And yeah, they feed them, so that they'd have more time to do work.
10. Re:Thankless job indeed... by Zero__Kelvin · 2010-09-15 09:35 · Score: 3, Interesting
  
  "Personally, for FREE software, I'd be happy just to get the damned bug acknowledged and fixed in a jiffy, ...
  By way of agreeing with you, I know that there are millions of people paying for software who pretty much never expect bugs to be fixed in a jiffy, and in fact have become completely complacent in accepting that many known security flaws have no plan for being fixed at all.
  
  Or in other words:
  
  Bounty paid by Google: $400.00
  Bounty paid by Apple and Microsoft: $0.00 (i.e. it isn't even an option)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
11. Re:Thankless job indeed... by Zero__Kelvin · 2010-09-15 09:40 · Score: 1
  
  "Nice FUD. Microsoft issues patches monthly, and more frequently, out-of-band for critical security fixes."
  And also quite frequently they announce that they have no plans for fixing an important security flaw.
  
  Please, point to the last instance where MSFT threatened to sue for violating the EULA by reporting a bug in IE.
  That would be the last time someone clicked on the EULA, which was probably a few femtoseconds ago, no matter when you read this. The EULA explicitly forbids reverse engineering of their product(s). In order to effectively identify a bug you need to reverse engineer the software. Ergo, Microsoft is explicitly threatening that they might sue you if you identify and disclose a bug every time they ask (force?) you to click the EULA.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
12. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 14:48 · Score: 0
  
  So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?
  The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting
  You bastard.
13. Re:Thankless job indeed... by Anonymous Coward · 2010-09-15 16:38 · Score: 0
  
  And yet the $400 bounty has been enough to bring 10 security bugs to light.
  If they paid $10k per bug would they have got a better result? If they did get more would they have been able to patch them all quick enough?
  They want their bounty set at a level which brings in bugs at a rate they can handle, too fast and you have vulnerabilities leaking to the public quicker than they can be patched.
  When they get no new bugs found, then it is time to step up the bounty to attract fresh and better hunters.
14. Re:Thankless job indeed... by Brian+Quinlan · 2010-09-15 17:49 · Score: 2, Informative
  What "lavish" benefits are you talking about? Lunches? Lunches pay for themselves because they all of a sudden take 25-30 minutes instead of an hour or more. At $100+ (sometimes way more than that) per hour it just makes sense for a company to pay for lunches. Buses to and from work? Umm. OK, I'll give you that (even though Microsoft also has buses). On-site gym that hardly anyone goes to? What else?
  
  Tuition reimbursement up to $12,000 per year.
  
  Back-Up Child Care
  
  Charity gift matching
  
  Adoption assistance
  
  On-site doctor (though dental seems more useful to me), oil change, games rooms, car wash, laundry, dry cleaning, massage, barber, fitness classes, bike repair, tech talks (by Barrack Obama, Randall Munroe, etc.)
  
  Annual ski trip and other random trips e.g. one
  
  20% time (is that a benefit?)
  
  Plus the usual as far as medical, dental, stock options, etc. And probably a bunch of other stuff that I don't know about.
  
  Google is actually pretty bare bones on the inside.
  Compared to?
15. Re:Thankless job indeed... by Anonymous Coward · 2010-09-16 00:14 · Score: 0
  
  You have incorrect pricing information: http://blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html / http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html
  1. The maximum reward for a single bug has been increased to $3,133.7. We will most likely use this amout for SecSeverity-Critical bugs in Chromium. The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity.
  2. Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution.
16. Re:Thankless job indeed... by Toy+G · 2010-09-16 01:07 · Score: 1
  
  20% time (is that a benefit?)
  That's not a benefit, because that 20% time must be employed on projects that will, indirectly or directly, eventually benefit Google itself. I.E. you can't just play with your Spaceballs dolls.
  
  --
  -- Let's go Viridian.
17. Re:Thankless job indeed... by melted · 2010-09-16 10:09 · Score: 1
  
  Going over your list in order:
  1. Which no one uses since you end up working 60-70 hours a week
  2. Don't you have to pay for that these days?
  3. Don't see how this is a benefit to me.
  4. Don't see how this is a benefit to most Googlers who don't adopt. The extent of "assistance" is unclear.
  5. More like a "nurse". This "doctor" can't even write prescriptions. The most you can get is over the counter medications and cholesterol screening. Other than tech talks, gym and game rooms, you have to pay for all other "benefits".
  6. This is common in large tech companies. Not all offices get "ski trips".
  7. That's 20% on top of your 120% you're already spending on your main project. Not a benefit at all.
  >> Compared to?
  Compared to even Microsoft. Here are the benefits I really want:
  1. Microsoft style "cadillac" fully employer paid health plan with complete coverage and no co-pays or deductibles.
  2. More vacation time. Say, 5 weeks instead of 3.
  3. Separate offices for engineers who want them. It's difficult to concentrate when other people are talking.
  Give me these three and keep all the rest.
  Don't get me wrong, I'm not complaining. It's just easier to get stuff done here, the quality of the workforce is much higher than anywhere else, and I'm paid substantially more. But the only people who call Google benefits "lavish" are those who joined right out of school, or from a really shitty employer.
i'm glad this is happening by buddyglass · 2010-09-15 08:58 · Score: 3, Interesting

What I'd like to see next: Google pays bounty for bugs in other browsers (which it then forwards to those companies for repair).
This would be hilarious. You might think it'd be bad business (why should Google pay for bug finds that will benefit its competition?), but I think it'd be PR gold. Not to mention it would have the side effect of improving all-around security. (So Google could cast the new bounty as an altruistic gesture).
1. Re:i'm glad this is happening by TheViciousOverWind · 2010-09-15 09:07 · Score: 1
  
  What are you smoking?
  Not even Google have enough money for all that bugs in IE!
  
  --
  My <1000 UID is with a hot chick
2. Re:i'm glad this is happening by thestudio_bob · 2010-09-15 09:09 · Score: 1
  
  You know, I was wondering if these bug fixes bleed over into Webkit, which Apple's Safari would not doubt benefit from. So maybe they are already doing something like this.
  
  --
  The real Sig captains the Northwestern. This one captains /.
3. Re:i'm glad this is happening by Yvan256 · 2010-09-15 09:39 · Score: 1
  
  Since Google uses Webkit which is from Apple, I think Apple kinda knew that these kinds of benefits could happen some day.
4. Re:i'm glad this is happening by geekoid · 2010-09-15 09:55 · Score: 1
  
  I could start a browser company and write myself a Winnebago.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
5. Re:i'm glad this is happening by aBaldrich · 2010-09-15 10:41 · Score: 1
  
  Well, google provides over 80% of the Mozilla Foundation's funding, and Mozilla pays $3000 per bug, so effectively Google is paying bounties for other browsers.
  
  --
  In soviet russia the government regulates the companies.
Re:Macs by nomorecwrd · 2010-09-15 09:01 · Score: 3, Funny

It isn't an Apple product.
'cuz if it where, the system would reboot if you use the mouse and keyboard simultaneously.

Just don't type like that!!
Not a dupe, but still old news. by asylumx · 2010-09-15 09:14 · Score: 2, Informative

http://tech.slashdot.org/story/10/09/03/0133211/Google-Releases-Chrome-6-Pays-4337-In-Bounties

Are we going to hear about this as if it's fresh news *every* time it happens?
How many people actually claimed the bounties. by He+who+knows · 2010-09-15 09:21 · Score: 1

There is no mention of how many people claimed the bounties even if they were able to. I think some of the people simply reported the bugs when they found them and did not claim any money.
sliding scale! by FranTaylor · 2010-09-15 09:22 · Score: 1

$0.10 for an IE bug
$4000 for a Chrome bug
1. Re:sliding scale! by TheViciousOverWind · 2010-09-15 10:06 · Score: 1
  
  What are you smoking?
  Not even Google have enough money for all that bugs in IE!
  
  --
  My <1000 UID is with a hot chick
2. Re:sliding scale! by jimmypw · 2010-09-15 10:17 · Score: 1
  
  $.10 thats generous. Their two a penny!
You get 3000$ per bug by Anonymous Coward · 2010-09-15 09:25 · Score: 0

Just so you know. Not only Google offers rewards.
Mozilla does the same:
http://www.mozilla.org/security/bug-bounty.html
Re:Macs by Yvan256 · 2010-09-15 09:34 · Score: 1

Stop trolling, my Mac never rebooted while I us@$#![]5;ca'?!2goAg=
Re:Macs by Yvan256 · 2010-09-15 09:35 · Score: 2, Funny

5[f;'~R:'`#&gZ{=ahile I used the mouse and keyboard simultaneously.
Re:Macs by BlackSnake112 · 2010-09-15 09:39 · Score: 3, Funny

Rebooting, logging in, and connecting back to slashdot in under a min. Apple machines are fast.
Oh joy... by SanityInAnarchy · 2010-09-15 10:00 · Score: 1

I'm glad some bugs were fixed, but it seems I now can't paste into Slashdot comment boxes. Chrome bug or Slashdot bug?

--
Don't thank God, thank a doctor!
1. Re:Oh joy... by Anonymous Coward · 2010-09-15 10:22 · Score: 0
  
  PEBKAC FTW ??
2. Re:Oh joy... by SanityInAnarchy · 2010-09-15 14:37 · Score: 1
  
  ...possibly? It seems to work now, at least. Maybe it was only on that page?
  I did try ctrl+v, middle click, and right-click->paste. I even opened up the developer tools and manually changed the attribute. Nothing worked other than manually re-typing into the box.
  
  --
  Don't thank God, thank a doctor!
3. Re:Oh joy... by FiloEleven · 2010-09-19 04:19 · Score: 1
  
  Huh, I just started encountering this today. Doesn't work in this comment box either. Guess I'll just have to get used to responses with [citation needed] =)
  
  --
  Your brain is not a computer.
4. Re:Oh joy... by geekoid · 2010-09-29 06:46 · Score: 1
  
  It happens to me. Interesting, there is a little square in front of the 'Ctrl-V' I get when right clicking on the field to select paste. So there is some character it's not displaying correctly.
  And yes, I can paste into other documents just fine.
  I am using Chrome on XP.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Hello I am Prince of Ngiera by Anonymous Coward · 2010-09-15 10:06 · Score: 0

Being found bugs in browsers, found by I will pay more can Google. If wish money you do, forward 500 dollars american and bug to me.
Version Number Inflation? by Anonymous Coward · 2010-09-15 10:13 · Score: 0

Version 6.0 in how long? They'll be on version 100.0 by the time Firefox reaches version 5.0.
Scabbing by stagg · 2010-09-15 10:14 · Score: 0, Troll

Bug bounties are really not far off from Scab work at all. Companies use bounties and contests to replace what could otherwise be lucrative positions for permanent employees. And as long as there are people out there willing to do the work for free, the company has no incentive to create those positions. They just paid 400$ a bug to get god knows how many people to run QA for them, and paid out the ten people that got in fresh, reproducible bugs the fastest. This is great for the companies running the contests, but it sure isn't good for workers or the industry.
1. Re:Scabbing by Anonymous Coward · 2010-09-15 10:22 · Score: 0
  
  Um, Chrome's free.
2. Re:Scabbing by totally+bogus+dude · 2010-09-15 19:08 · Score: 1
  
  What's that got to do with anything? I'm pretty sure Google established a pretty compelling business case for releasing their own free web browser well before they committed resources to it.
Version Number by Anonymous Coward · 2010-09-15 11:55 · Score: 0

> Google Chrome 6.0.472.59
Please forgive my ignorance.
May some kind soul explicate the necessity/desirability of this version numbering scheme?
It's got more bugs that it lets on by Anonymous Coward · 2010-09-15 17:44 · Score: 0

Security bugs? I still can't get past the constant JavaScript and CSS error reports on almost every web page that I try. It seems that Google knows how to pontificate about how a web page should be designed but not how to load a page in its own browser... or should I say what was already a perfectly working web browser before they merely changed the branding and nobbled it!
Is there an update feature? by turkeyfish · 2010-09-15 18:31 · Score: 1

With the bug fixes coming so quickly one after the other, Chrome needs an automatic update option to have it download and install new versions rather than requiring manual downloads. Is this in the works? Or have I missed something in the "Options" box?
1. Re:Is there an update feature? by zlogic · 2010-09-15 19:49 · Score: 1
  
  Chrome updates automatically, this was a feature from the earliest 0.x beta versions. You can force an update check by opening the "About Chrome" window. However even though the update is downloaded and installed automatically, a restart of Chrome is required to actually use the newest version.
2. Re:Is there an update feature? by simoncpu+was+here · 2010-09-15 19:52 · Score: 1
  
  The Update Manager already does this for Ubuntu users...
'pushed out' by hohokus · 2010-09-16 02:18 · Score: 1

can we please stop using the phrase 'push out'? it conjures up an image of a turd every single time. of course, maybe that's the idea?